Replying to Avatar waxwing

It took a bit of digging but I believe this is the commit that introduced the use of MT19937 into libbitcoin:

https://github.com/libbitcoin/libbitcoin-system/commit/6d5a06e283d81260165e0eab95175069bf03b408

I would like to hear from Eric what was the thought process behind this.

It's widely known (and certainly was, back then) that seeding a PRNG with a mersenne twister is not cryptographically secure. In the case of 32 bit MT19937 it's even comically insecure as you can just brute force every possible seed (you can also 'play back' earlier MT output if you see enough outputs in sequence).

But, the thing is, in that commit you can see that the approach taken is to use uniform_int_distribution taken from the std library, then seed it. As far as I can tell this function is platform dependent/implementation dependent and certainly not claimed to be cryptographically secure. What is going on here? Was there never an attempt in libbitcoin to use cryptographically secure random numbers? There is probably a bit more to the story.

Avatar
waxwing 2y ago

I'm still mystified, after seeing Eric's response on twitter. He points out that this function is documented as "can introduce weaknesses" ...

(though:

1/ the first place I'm directed to for documentation is this page on the wiki:

https://github.com/libbitcoin/libbitcoin-explorer/wiki

which was edited in 2018 and misses the warning, and

2/ it's in fact 100% guaranteed to be entirely insecure, so "can introduce cryptographic weaknesses" is pretty catastrophically misleading to a potential user),

... but doesn't really justify .. why the function is there in the first place if, as he seems to be saying, no part of the libbitcoin suite was ever intended to generate keys (this does not agree with my decade-old memories of Taaki's explanation of how these tools could be used; maybe it changed from 2015 to 2016 somehow, and, uh, the wiki also?)

Reply to this note

Please Login to reply.

Discussion

Avatar
waxwing 2y ago

Also the page on randomness shows that `bx help seed` shows no warning, either (I haven't checked the latest code, though):

https://github.com/libbitcoin/libbitcoin-explorer/wiki/Random-Numbers