如何获得真正的随机数据，而不是像 CSRNG 那样输入 PRNG 种子的随机数据? [英] How to get truly random data, not random data fed into a PRNG seed like CSRNG's do?

问题描述

据我所知，像 RNGCryptoServiceProvider 这样的 CSRNG 仍然通过 PRNG 传递真正随机的用户数据，如鼠标移动等，以对输出进行排序并使其均匀分布.这些位需要完全独立.

From what I understand, a CSRNG like RNGCryptoServiceProvider still passes the truly random user data like mouse movement, etc through a PRNG to sort of sanitize the output and make it equal distribution. The bits need to be completely independent.

(这是针对理论上无限算力的攻击者)如果 CSRNG 获取 1KB 真随机数据并将其扩展为 1MB，那么攻击者所要做的就是生成 1KB 数据的每个组合，将其扩展，然后查看哪 1MB 数据生成一个一次性填充，返回合理的英语输出.我在某处读到，如果一次性密码垫在 RNG 的任何地方都有一个 PRNG，它只是一个美化的流密码.我想知道真正随机的起始数据是否足够大，可以仅使用而不是加密扩展.我需要真正随机的一次性输出，而不仅仅是加密安全的 RNG.或者，也许还有其他方法可以以某种方式获得真正的随机数据，以便所有位彼此独立.我想用鼠标坐标异或几秒钟，然后可能是 Environment.TickCount 的最后一位数字，然后可能是麦克风输入(1、2、3、4) 以及.然而，正如有人在 stackoverflow 上指出的那样，我真的应该让操作系统处理这一切.不幸的是，这是不可能的，因为使用了 PSRNG.我想避免使用硬件解决方案，因为这是一个易于使用的程序，并且也不使用 RDRAND，因为它也使用 PRNG(除非 RDRAND 可以在通过 PRNG 之前返回真正的随机数据??).如果这样的事情甚至可能发生，我们将不胜感激；我已经在这个问题上工作了几个星期，印象是 RNGCryptoServiceProvider 足以一次性完成.谢谢.

(this is for a theoretical infinite computing power attacker) If the CSRNG takes 1KB of true random data and expands it to 1MB, all the attacker has to do is generate every combination of 1KB of data, expand it, and see which 1MB of data generates a one-time pad that returns sensible english output. I read somewhere that if the one-time pad had a PRNG anywhere in the RNG, it is just a glorified stream cipher. I was wondering if the truly random starting data was in large enough numbers to just use instead of cryptographically expanding. I need truly random output for a one-time pad, not just a cryptographically secure RNG. Or perhaps if there were other ways to somehow get truly random data, so that all bits are independent of each other. I was thinking of XOR'ing with the mouse coordinates for a few seconds, then perhaps the last digits of the Environment.TickCount, then maybe getting microphone input (1, 2, 3, 4) as well. However, as some point out on stackoverflow, I should really just let the OS handle it all. Unfortunately that isn't possible since there is an PSRNG used. I would like to avoid a hardware solution, since this is meant to be an easy to use program, and also not utilize RDRAND since it ALSO uses a PRNG (unless RDRAND can return the truly random data before it goes through a PRNG??). Would appreciate any responses if such a thing is even possible; I've been working on this for weeks under the impression that RNGCryptoServiceProvider was sufficient for a one time pad. Thanks.

(旁注:有人说对于大多数加密函数你不需要真正的熵，只是不可预测性.对于一次性填充，它必须是随机的，否则它不是一次性填充.)

(Side note: some say for most crypto functions you don't need true entropy, just unpredictability. for a one-time pad, it MUST be random otherwise it is not a one time pad.)

推荐答案

如您所知，真正随机"意味着每个位独立于其他一切并且均匀分布.然而，这个理想在实践中很难实现，如果不是不可能的话.一般来说，获得真正随机数据"的最接近方法是实际上是从非确定性来源中收集难以猜测的信息，然后浓缩这些信息位到随机数据块中.

As you know, "truly random" means each of the bits is independent of everything else as well as uniformly distributed. However, this ideal is hard, if not impossible, to achieve in practice. In general, the closest way to get "truly random data" in practice is to gather hard-to-guess bits from nondeterministic sources, then condense those bits into a random block of data.

要接近真正的随机数据"有很多问题，包括以下几点:

There are many issues involved with getting this close to "truly random data", including the following:

1. 来源必须是不确定的，也就是说，它们的输出不能由它们的输入决定.非确定性来源的例子包括输入设备的时间；热噪声；以及麦克风和摄像头输出记录的噪音.
2. 来源的输出必须难以猜测.这更正式地称为熵，例如每 64 位输出有 32 位熵.然而，测量熵绝非易事.如果您需要 1 MB(800 万位)的真正随机数据，您需要具有至少 800 万位熵的数据(实际上，根据来源的不同，其长度会超过 1 MB)，然后压缩以某种方式将数据转换为 1 MB 的数据，同时保留该熵.
3. 来源必须相互独立.
4. 应该有两个或更多独立的来源.这是因为不可能从一个来源中提取完全随机性(参见 McInnes 和 Pinkas 1990).另一方面，从三个或更多独立来源中提取随机性相对简单，但仍然存在选择合适的随机性提取器的问题，并且随机性提取器的调查超出了本答案的范围.

1. The sources must be nondeterministic, that is, their output cannot be determined by their inputs. Examples of nondeterministic sources include timings of input devices; thermal noise; and the noise registered by microphone and camera outputs.
2. The sources' output must be hard to guess. This is more formally known as entropy, such as 32 bits of entropy per 64 bits of output. However, measuring entropy is far from trivial. If you need 1 MB (8 million bits) of truly random data, you need to have data with at least 8 million bits of entropy (which in practice will be many times more than 1 MB long depending on the sources), then condense the data somehow into 1 MB of data while preserving that entropy.
3. The sources must be independent of each other.
4. There should be two or more independent sources. This is because it's impossible to extract full randomness from just one source (see McInnes and Pinkas 1990). On the other hand, extracting randomness from three or more independent sources is relatively trivial, but there is still a matter of choosing an appropriate randomness extractor, and a survey of randomness extractors would be beyond the scope of this answer.

一般来说，对于随机数生成而言，可用的来源越多越好.

In general, for random number generation purposes, the more sources available, the better.

参考:

• McInnes, J. L., &Pinkas, B.(1990 年，8 月).关于使用弱随机密钥的私钥加密的不可能性.在密码学理论与应用会议上(第 421-435 页).

这篇关于如何获得真正的随机数据，而不是像 CSRNG 那样输入 PRNG 种子的随机数据?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！