Saturday, September 18, 2021

[nyacyyfx] coin flip every day

50% random sampling of upcoming days:

set the "key" (initialization vector) parameter to a different string to get a different set of days.  this parameter seeds the random number generator. (previously on seeding a random number generator with a string.)

set the "r" parameter to an integer from 1 to 256 to sample a fraction r/256 of days.  for example, this samples only 1/4 (= 64/256) of days:

the code works by forming a string consisting of each date concatenated with a processed key, hashing it, and examining the first byte.  source code (in Perl) here.

we use crypt(3) to process the key.  this makes it difficult for an adversary who can only observe the output (pattern of days) to guess the key and predict future dates.  (but if an adversary has access to the URL, they can of course see the key.)  "salt" and "rounds" are also available as parameters for crypt(3).  crypt(3) requires a salt.  the default salt is "randomdays".  we enforce a maximum number of rounds of 200000 to avoid overloading the web server.  we have also chosen 200000 rounds to be the default.  (future work: client-side computation.)

set the debug parameter to enable comments in the generated HTML that document exactly what is being hashed.  note that if an adversary has access to the debug comments, they can predict future dates.  set debug to 2 to also see hashes of rejected dates. (then View Source in your browser)

because we used common cryptography primitives, it is not difficult to replicate the computation by other means, e.g., command line:

(echo -n 2023-03-20-128/256- ; mkpasswd -m sha-512 -R 200000 yourrandomstring randomdays | perl -pwe chomp) | sha1sum

compare the output of the above with comments in the debug-mode generated HTML.  the first output byte from sha1sum, hex 45, is less than hex 80 (decimal 128), so the day is selected. 

mkpasswd is a utility in the "whois" Debian package.  note that it requires salts of minimum length 8 even though no such minimum is required by the underlying routine.  (crypt(3) specifies maximum salt length of 16, also enforced by mkpasswd.)

we have also previously discussed invoking crypt(3) from Perl and from Python.

we have been using this utility to spread out blog posts.

No comments :