Ensuring Cryptographic-Level Randomness

[Xalos]

-snip-

I've noticed you've been going around Coding Help bashing solutions without actually helping the person who posted in the first place. Allow me to say on behalf of the newbie scripters you've inconvenienced, here and now...

STOP THAT.

[Ad Bot]

[Ipquarx]

He's right though, it won't work as he intended it to. I'd bet real money that he literally just slapped all that down in an hour at the very most and tested it little to none.

It's not cryptograhically secure, you can't use a non-secure RNG to make a secure one. It doesn't work like that.

you could just use the random.org web API, you get 200,000 bits of quota every day and since you said you don't need huge amounts, that should be more than enough.

[Brian Smithers]

This will still repeat at some point and, with the same base seed, will always give the same result. Except no, because it won't work at all.
This isn't Python, ** isn't a valid operator. Secondly, TorqueScript can't handle the magnitude of numbers you're using.
50000⁵⁰⁰⁰⁰ is obviously way above 999999. 234949 digits is a lot more than 6 digits.

I don't see you using setRandomSeed anywhere?

iirc getrandom does that.

[Ipquarx]

iirc getrandom does that.

Torque does it automatically after every tick. do echo(getRandomSeed()); a few times in the console and it'll be different every time.


TO BELOW POSTER:

It's not cryptograhically secure, you can't use a non-secure RNG to make a secure one. It doesn't work like that.

[Brian Smithers]

function lovingSecureRandomStep()
{
   %n = getRandom(-100,100);
   for(%i=0;%i<getRandom(10,20);%i+=1)
   {
      %r = getRandom(0,3);
      switch(%r)
      {
         case 0:
            %n += getRandom(getRandom(-100, -1),getrandom(1,100));
         case 1:
            %n -= getRandom(getRandom(-100, -1),getrandom(1,100));
         case 2:
            %n *= getRandom(getRandom(-100, -1),getrandom(1,100));
         case 3:
            %n /= getRandom(getRandom(-100, -1),getrandom(1,100));
      }
   }
   if(getRandom() > 0.5)
      return mFloor(%n);
   else
      return mCeil(%n);
}

function lovingSecureRandom(%secLev)
{
   if(%secLev $= "")
      %secLev = getRandom(1,10);
   if(%secLev > 10)
      %secLev = 10;
   if(%secLev < 1)
      %secLev = 1;
   for(%i=0;%i<%secLev;%i++)
   {
      %m += lovingSecureRandomStep();
   }
   %m /= %secLev;
}


THERE.
Tested and it works, did a 1000 in less than a second. I doubt anyone with in reason could determine the value of that.

[Xalos]

He's right though, it won't work as he intended it to.

I'm not disputing that. My point is that Port is waltzing into threads, tearing down solutions, and NOT actually helping the person in question with their problem. That's skirting trolling territory, really.

Anyway, if I had any idea how the hell a CSPRNG worked I could just make my own; I already have a byte array class coded that I could probably add multiplication to. The real problem is that I don't know how they work.

I don't really need them to be fast, just not painfully slow. If push came to shove I don't REALLY need one; I'd just prefer it because there are richards in this game, and avatars are SERIOUS BUSINESS.


EDIT: already*; I loathe typing on an iPod.

[Ipquarx]

Anyway, if I had any idea how the hell a CSPRNG worked I could just make my own; I alteady have a byte array class coded that I could probably add multiplication to. The real problem is that I don't know how they work.

use the random.org web API, you get 200,000 bits of quota every day

Example: URL to get 1kb of random bytes:
http://www.random.org/integers/?num=1024&min=0&max=255&col=1&base=10&format=plain&rnd=new

[Xalos]

-snip-

Getting randomness from a website for cryptographic purposes is WORSE than no cryptography at all. It carries all the performance overhead of encrypting a message with none of the security.

If Carol is in a position to get messages between Alice and Bob, it's very, very likely she can intercept messages from Alice to Randy as well.

EDIT: Added a newline at "...security. If..."

[Ipquarx]

Getting randomness from a website for cryptographic purposes is WORSE than no cryptography at all. It carries all the performance overhead of encrypting a message with none of the security.

If Carol is in a position to get messages between Alice and Bob, it's very, very likely she can intercept messages from Alice to Randy as well.

EDIT: Added a newline at "...security. If..."

If you're seriously worried about network tapping, then read this on how CSPRNG's work.

[Xalos]

If you're seriously worried about network tapping, then read this on how CSPRNG's work.

1.) I've already read that when I was trying to figure out CSPRNGs on the first place.
2.) I don't see how that in any way dismisses my point of "you can't get randomness for something from a website and expect it to be secure."

[Brian Smithers]

Suggestion:
Log the following:

> Amount of people who have joined in total
> Amount of unique joins
> Average playercount
> Amount of total bricks
> Amount of people who have planted bricks
> Amount of people who have chatted
> Amount of chat that has been said
> Average chat length (maybe, this is a bit questionable)
> Average bricks per person.

Now, take the $Sim::Time and multiply, divide, add, subtract, and use modulus to create psuedo random numbers.

[Ipquarx]

So, what exactly don't you understand about how they work? It seems the gist of it is gathering entropy from independent sources like the mouse or keyboard. How exactly you'd gather that data I'm not quite sur- What smithers suggested should work fine.

And I don't see why you can't expect it to be secure; the numbers themselves ARE secure. The only way it could be compromised is if someone was listening in on the transmitted data.

[Lugnut]

Suggestion:
Log the following:

> Amount of people who have joined in total
> Amount of unique joins
> Average playercount
> Amount of total bricks
> Amount of people who have planted bricks
> Amount of people who have chatted
> Amount of chat that has been said
> Average chat length (maybe, this is a bit questionable)
> Average bricks per person.

Now, take the $Sim::Time and multiply, divide, add, subtract, and use modulus to create psuedo random numbers.

and have the client move their mouse randomly and you've pretty much got a random number

[Greek2me]

I'm not disputing that. My point is that Port is waltzing into threads, tearing down solutions, and NOT actually helping the person in question with their problem. That's skirting trolling territory, really.

Port tends to do that a lot. He can be helpful sometimes, though.

and have the client move their mouse randomly and you've pretty much got a random number

It should be random enough without the mouse movement.

[Lugnut]

Port tends to do that a lot. He can be helpful sometimes, though.
It should be random enough without the mouse movement.

random enough vs a small thing that will make it as truely random as one can manage

Depends on if we're going for really random or hard to reproduce
Hard to reproduce is handled given the above input