wallet/docs/generating_numbers_unpredictable_to_an_attacker.md

---
title: Generating numbers unpredictable to an attacker
...
```default
From: Kent Borg <kentborg@borg.org> 2021-03-30
To: Cryptography Mailing List
```

Entropy is important to RNGs but unfortunately RNG people are at risk of
devoutly worshiping at the alter of "Countable Entropy", blinded to
realities, ready with jeers for anyone who does not share their extreme
theology.

These people are so in the thrall of the theoretical that they are blinded to
the practical and any other theories.

And for practical purposes, it is the unguessability of the RNG that
matters. Any source of unguessable data is a good thing to use to drive an
RNG. Even sources that are dismissed as "squish" by the most devout and
most blinded can be good. And there is a great example that these disciples
can't see.

# Time Distribution is Hard

NTP is really great, I love it, so cool. It can set my computer's clock with a
precision measured in milliseconds. Very impressive it can do this just by
applying algorithms to hardware that is already present.

If one wants better, the next option is to get time from GPS. According to
gps.gov a specialized receiver, at a fixed location, can know the time
within 40ns. This is pretty cool, too. It is good enough to synchronize RF
signals between CDMA cell sites so phones can communicate with more
than one site as the same time.

GPS also depends on billions of dollars of infrastructure with an annual
budget that must be in the millions. People think GPS is about location,
but at its core it is really about time distribution. From end-to-end a design
where every component is doing its best to carefully keep and distribute
precise time. If one pays attention to details and has the money for good
hardware (far more than just a smartphone), to get 40ns is very cool.

# Guessing Time is Even Harder

With all that money can constructive effort, one can do 40ns. What are you
going to do to do better? Get specific. (Warning, it's not going to be easy.)

# Cheap Unguessability

A 1 GHz clock has a cycle time of 1ns. (Is it even possible to buy an Intel-based
machine that runs slower than 1GHz these days?) 1ns is a lot
smaller than 40ns. You don't know the value of my clock.

Intel chips have a timestamp counter that increments with every tick of the
system clock. You don't know the value of my counter.

The system clock isn't fed to the CPU, the CPU is fed a much lower
frequency, that it then multiplies up using analog on-chip PLL circuitry.
That clock is then (carefully) distributed on-chip. And even then, different
parts of the chip are in different clock domains, because clock distribution
and synchronization is hard.

So the "system clock" doesn't exist outside the CPU, it is only a "CPU clock",
and not all parts of the CPU are even privy to it.

No one at any distance outside that chip knows the value of the timestamp
counter. A program might contain the instruction to read the timestamp
counter, but by the time anything is done with that value, it will have
changed.

Is there "entropy" in that system clock? Some, but only some. The PLL will
have some jitter, the precision of the lower frequency input clock will have
iffy precision and be subject to drift.

Is there "unguessability" in that system clock? Plenty! At least to any
observer at any distance (i.e., outside the computer).

Remember, it takes billions of dollars and lots of careful design and
cooperation to distribute 40ns. time. No such effort nor expense has been made
to tell the world the precise value of my 1ns period (or less) CPU clock.

No one outside my computer knows its precise value.

# Back on Topic

Intel hardware has a great source of unguessability in its timestamp
counter. All you need is an uncorrelated sampling of this clock. Say, a
network interrupt.

I know the squish patrol is now all upset, because external observers can
be the one's sending these packets with careful timing. So what? The
timing can't be careful enough. The value that is read from the timestamp
counter in servicing that interrupt depends on knowing edge timings far
more closely than 1ns, for every time the observer guesses a value on the
wrong side of one of these edges, one bit of unguessability slips by.

# RNGs are Still Hard

A (1) uncorrelated sampling of a (2) fast clock is, indeed, a good source of
unguessability.

But, make sure both those things be true.

Is virtualization messing with how these things work? Is variable clock
scaling messing with it? Have interrupts been virtualized in some
predictable way? Is the timestamp counter being messed with in an
attempt to have it not appear to be warped by clock scaling and effectively
running much slower? Is some OS scheduling algorithm synchronizing
interrupt servicing with timestamp values?

Just because there is an underappreciated way to feed an RNG doesn't
mean there aren't plenty of ways to still mess it up. ("Um, it turns out the
RNG isn't in production builds." Who will notice?)

Implementation matters.

But the fact remains time distribution is hard, the period of a gigahertz clock is small. No one at any distance knows its value. An awful lot of computers out there can use this to drive their RNGs.

-kb, the Kent who laments that Arm CPUs didn't have something like a timestamp counter last he looked.

# Attacks

```default
From: Barney Wolff <barney@databus.com>  2021-05-31
To: Cryptography Mailing List
```

Surely this depends on how many guesses an attacker is
allowed before being detected and blocked. If there's
no penalty for guessing wrong, as with an offline attack,
I doubt the GHz ticker can contribute more than about 20
bits or so.

# Implementation

```default
From: jrzx <jrzx@protonmail.ch> 2021-06-06
To: Cryptography Mailing List
```

Every network or disk event provides several bits of unguessability.  You
are going to accumulate a 128 bits in a hundred milliseconds or so.

Accumulate the bits into Knuth's additive number generator 3.2.2, then
hash the seed.

Continue accumulating randomness into the seed when you get
uncorrelated events.  Continue hashing the seed when you need more
random numbers.

The attacker performing an offline attack will have to guess all 128 bits.
leaving potentially inconvenient history behind 2022-02-16 00:53:01 -05:00			`---`
			`title: Generating numbers unpredictable to an attacker`
Updated to current pandoc format Which affected all documentation files. 2022-05-06 22:49:33 -04:00			`...`
leaving potentially inconvenient history behind 2022-02-16 00:53:01 -05:00			```default
			`From: Kent Borg <kentborg@borg.org> 2021-03-30`
			`To: Cryptography Mailing List`
			```

			`Entropy is important to RNGs but unfortunately RNG people are at risk of`
			`devoutly worshiping at the alter of "Countable Entropy", blinded to`
			`realities, ready with jeers for anyone who does not share their extreme`
			`theology.`

			`These people are so in the thrall of the theoretical that they are blinded to`
			`the practical and any other theories.`

			`And for practical purposes, it is the unguessability of the RNG that`
			`matters. Any source of unguessable data is a good thing to use to drive an`
			`RNG. Even sources that are dismissed as "squish" by the most devout and`
			`most blinded can be good. And there is a great example that these disciples`
			`can't see.`

			`# Time Distribution is Hard`

			`NTP is really great, I love it, so cool. It can set my computer's clock with a`
			`precision measured in milliseconds. Very impressive it can do this just by`
cleanup, and just do not like pdfs Also, needed to understand Byzantine fault tolerant paxos better. Still do not. 2022-02-18 15:59:12 -05:00			`applying algorithms to hardware that is already present.`
leaving potentially inconvenient history behind 2022-02-16 00:53:01 -05:00
			`If one wants better, the next option is to get time from GPS. According to`
			`gps.gov a specialized receiver, at a fixed location, can know the time`
			`within 40ns. This is pretty cool, too. It is good enough to synchronize RF`
			`signals between CDMA cell sites so phones can communicate with more`
			`than one site as the same time.`

			`GPS also depends on billions of dollars of infrastructure with an annual`
			`budget that must be in the millions. People think GPS is about location,`
			`but at its core it is really about time distribution. From end-to-end a design`
			`where every component is doing its best to carefully keep and distribute`
			`precise time. If one pays attention to details and has the money for good`
			`hardware (far more than just a smartphone), to get 40ns is very cool.`

			`# Guessing Time is Even Harder`

			`With all that money can constructive effort, one can do 40ns. What are you`
			`going to do to do better? Get specific. (Warning, it's not going to be easy.)`

			`# Cheap Unguessability`

			`A 1 GHz clock has a cycle time of 1ns. (Is it even possible to buy an Intel-based`
			`machine that runs slower than 1GHz these days?) 1ns is a lot`
			`smaller than 40ns. You don't know the value of my clock.`

			`Intel chips have a timestamp counter that increments with every tick of the`
			`system clock. You don't know the value of my counter.`

			`The system clock isn't fed to the CPU, the CPU is fed a much lower`
			`frequency, that it then multiplies up using analog on-chip PLL circuitry.`
			`That clock is then (carefully) distributed on-chip. And even then, different`
			`parts of the chip are in different clock domains, because clock distribution`
			`and synchronization is hard.`

			`So the "system clock" doesn't exist outside the CPU, it is only a "CPU clock",`
			`and not all parts of the CPU are even privy to it.`

			`No one at any distance outside that chip knows the value of the timestamp`
			`counter. A program might contain the instruction to read the timestamp`
			`counter, but by the time anything is done with that value, it will have`
			`changed.`

			`Is there "entropy" in that system clock? Some, but only some. The PLL will`
			`have some jitter, the precision of the lower frequency input clock will have`
cleanup, and just do not like pdfs Also, needed to understand Byzantine fault tolerant paxos better. Still do not. 2022-02-18 15:59:12 -05:00			`iffy precision and be subject to drift.`
leaving potentially inconvenient history behind 2022-02-16 00:53:01 -05:00
			`Is there "unguessability" in that system clock? Plenty! At least to any`
			`observer at any distance (i.e., outside the computer).`

			`Remember, it takes billions of dollars and lots of careful design and`
			`cooperation to distribute 40ns. time. No such effort nor expense has been made`
			`to tell the world the precise value of my 1ns period (or less) CPU clock.`

			`No one outside my computer knows its precise value.`

			`# Back on Topic`

			`Intel hardware has a great source of unguessability in its timestamp`
			`counter. All you need is an uncorrelated sampling of this clock. Say, a`
			`network interrupt.`

			`I know the squish patrol is now all upset, because external observers can`
			`be the one's sending these packets with careful timing. So what? The`
			`timing can't be careful enough. The value that is read from the timestamp`
			`counter in servicing that interrupt depends on knowing edge timings far`
			`more closely than 1ns, for every time the observer guesses a value on the`
			`wrong side of one of these edges, one bit of unguessability slips by.`

			`# RNGs are Still Hard`

			`A (1) uncorrelated sampling of a (2) fast clock is, indeed, a good source of`
			`unguessability.`

			`But, make sure both those things be true.`

			`Is virtualization messing with how these things work? Is variable clock`
			`scaling messing with it? Have interrupts been virtualized in some`
			`predictable way? Is the timestamp counter being messed with in an`
			`attempt to have it not appear to be warped by clock scaling and effectively`
			`running much slower? Is some OS scheduling algorithm synchronizing`
			`interrupt servicing with timestamp values?`

			`Just because there is an underappreciated way to feed an RNG doesn't`
			`mean there aren't plenty of ways to still mess it up. ("Um, it turns out the`
			`RNG isn't in production builds." Who will notice?)`

			`Implementation matters.`

			`But the fact remains time distribution is hard, the period of a gigahertz clock is small. No one at any distance knows its value. An awful lot of computers out there can use this to drive their RNGs.`

			`-kb, the Kent who laments that Arm CPUs didn't have something like a timestamp counter last he looked.`

			`# Attacks`

			```default
			`From: Barney Wolff <barney@databus.com> 2021-05-31`
			`To: Cryptography Mailing List`
			```

			`Surely this depends on how many guesses an attacker is`
			`allowed before being detected and blocked. If there's`
			`no penalty for guessing wrong, as with an offline attack,`
			`I doubt the GHz ticker can contribute more than about 20`
			`bits or so.`

			`# Implementation`

			```default
			`From: jrzx <jrzx@protonmail.ch> 2021-06-06`
			`To: Cryptography Mailing List`
			```

			`Every network or disk event provides several bits of unguessability. You`
			`are going to accumulate a 128 bits in a hundred milliseconds or so.`

			`Accumulate the bits into Knuth's additive number generator 3.2.2, then`
			`hash the seed.`

			`Continue accumulating randomness into the seed when you get`
			`uncorrelated events. Continue hashing the seed when you need more`
			`random numbers.`

			`The attacker performing an offline attack will have to guess all 128 bits.`