如何获得真正的随机数据，而不是像CSRNG那样将随机数据馈入PRNG种子？ [英] How to get truly random data, not random data fed into a PRNG seed like CSRNG's do?

问题描述

据我了解，像 RNGCryptoServiceProvider这样的CSRNG 仍通过PRNG传递诸如鼠标移动等真正随机的用户数据，以对输出进行某种形式的清理并使其均匀分布。这些位需要完全独立。

From what I understand, a CSRNG like RNGCryptoServiceProvider still passes the truly random user data like mouse movement, etc through a PRNG to sort of sanitize the output and make it equal distribution. The bits need to be completely independent.

（这是用于理论上无限的计算能力的攻击者）
如果CSRNG接收1KB的真实随机数据并对其进行扩展到1MB，攻击者所需要做的就是生成1KB数据的每种组合，将其扩展，然后查看哪个1MB数据生成一次返回有效英语输出的便笺簿。我在某处读到，如果一次性垫板在RNG中的任何位置都具有PRNG，则它只是一种美化的流密码。我想知道真正随机的起始数据是否足够大，可以使用而不是进行密码扩展。我需要一次性的真正随机输出，而不仅仅是加密安全的RNG。或者，也许还有其他方法可以以某种方式获取真正的随机数据，从而使所有位彼此独立。我在想用鼠标坐标进行XOR运算几秒钟，然后可能是Environment.TickCount的最后一位，然后可能是获得麦克风输入（ 1 ， 2 ， 3 ， 4 ）。但是，正如有人在stackoverflow上指出的那样，我真的应该只让OS处理所有事情。不幸的是，由于使用了PSRNG，因此无法实现。我想避免使用硬件解决方案，因为这意味着它是一个易于使用的程序，并且由于它还使用PRNG，因此也不使用RDRAND（除非RDRAND可以在通过PRNG之前返回真正的随机数据？） 。如果有这种可能的话，将不胜感激。我已经从事了数周的研究，以为RNGCryptoServiceProvider足以应付一个时限。谢谢。

(this is for a theoretical infinite computing power attacker) If the CSRNG takes 1KB of true random data and expands it to 1MB, all the attacker has to do is generate every combination of 1KB of data, expand it, and see which 1MB of data generates a one-time pad that returns sensible english output. I read somewhere that if the one-time pad had a PRNG anywhere in the RNG, it is just a glorified stream cipher. I was wondering if the truly random starting data was in large enough numbers to just use instead of cryptographically expanding. I need truly random output for a one-time pad, not just a cryptographically secure RNG. Or perhaps if there were other ways to somehow get truly random data, so that all bits are independent of each other. I was thinking of XOR'ing with the mouse coordinates for a few seconds, then perhaps the last digits of the Environment.TickCount, then maybe getting microphone input (1, 2, 3, 4) as well. However, as some point out on stackoverflow, I should really just let the OS handle it all. Unfortunately that isn't possible since there is an PSRNG used. I would like to avoid a hardware solution, since this is meant to be an easy to use program, and also not utilize RDRAND since it ALSO uses a PRNG (unless RDRAND can return the truly random data before it goes through a PRNG??). Would appreciate any responses if such a thing is even possible; I've been working on this for weeks under the impression that RNGCryptoServiceProvider was sufficient for a one time pad. Thanks.

（旁注：对于大多数加密函数，您不需要真正的熵，只需具有不可预测性即可。对于一次性填充，否则必须是随机的

(Side note: some say for most crypto functions you don't need true entropy, just unpredictability. for a one-time pad, it MUST be random otherwise it is not a one time pad.)

推荐答案

如您所知，真正随机表示表示每个位与其他所有内容无关，并且分布均匀。但是，这种理想很难甚至不可能在实践中实现。一般而言，获得真正随机数据的最接近方法是在计算机上。实际上是从不确定源收集难以猜测的位，然后将其压缩

As you know, "truly random" means each of the bits is independent of everything else as well as uniformly distributed. However, this ideal is hard, if not impossible, to achieve in practice. In general, the closest way to get "truly random data" in practice is to gather hard-to-guess bits from nondeterministic sources, then condense those bits into a random block of data.

将其接近真正随机数据涉及许多问题，其中包括：

There are many issues involved with getting this close to "truly random data", including the following:

1. 源必须是不确定的，也就是说，其输出不能由其输入确定。非确定性来源的示例包括输入设备的计时；热噪声；


2. 信号源的输出必须很难猜测。这更正式地称为熵，例如每64位输出中有32位熵。但是，测量熵并非易事。如果您需要1 MB（800万比特）的真正随机数据，则需要具有至少800万比特的熵的数据（实际上，取决于源，熵的长度将是1 MB的许多倍），然后压缩将数据以某种方式保存到1 MB的数据中，同时保留该熵。


3. 源必须彼此独立。


4. 应该有两个或更多独立的源资料来源。这是因为不可能仅从一个来源提取全部随机性（由于所谓的 Pinkas证明）。另一方面，从三个或更多独立来源中提取随机性相对来说比较琐碎，但是选择合适的随机性提取器仍然存在问题，对随机性提取器进行调查将不在此答案的范围内。

1. The sources must be nondeterministic, that is, their output cannot be determined by their inputs. Examples of nondeterministic sources include timings of input devices; thermal noise; and the noise registered by microphone and camera outputs.
2. The sources' output must be hard to guess. This is more formally known as entropy, such as 32 bits of entropy per 64 bits of output. However, measuring entropy is far from trivial. If you need 1 MB (8 million bits) of truly random data, you need to have data with at least 8 million bits of entropy (which in practice will be many times more than 1 MB long depending on the sources), then condense the data somehow into 1 MB of data while preserving that entropy.
3. The sources must be independent of each other.
4. There should be two or more independent sources. This is because it's impossible to extract full randomness from just one source (due to the so-called "Pinkas proof"). On the other hand, extracting randomness from three or more independent sources is relatively trivial, but there is still a matter of choosing an appropriate randomness extractor, and a survey of randomness extractors would be beyond the scope of this answer.

通常，出于随机数生成的目的，可用的源越多越好。

In general, for random number generation purposes, the more sources available, the better.

这篇关于如何获得真正的随机数据，而不是像CSRNG那样将随机数据馈入PRNG种子？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！