What's the best entropy bang--for-your-buck < $100?

Read the voltage drop across a high-value resistor at room temperature. There are random fluctuations proportional to the temperature and resistor value. You can use these fluctuations to generate unifromly distributed random numbers. https://en.m.wikipedia.org/wiki/Johnson%E2%80%93Nyquist_nois...

Flip a penny twice, if you get heads followed by tails, write down 0. If you get tails, followed by heads, write down 1. Otherwise ignore the two flips. Rinse and repeat until you have enough bits.

The purpose of flipping twice is that it offsets any potential static bias (caused eg by weight difference) between the two sides.

Common ways to generate entropy in a way that’s friendly to computers include: measuring noise from a zener (or other electronic component), delta between two or more oscillators, or timing between external events (eg keystrokes, packets, etc). These are all super cheap to manufacture (~$1). If you want to go high end, you can spent ~$1000 and get a generator based on some quantum property (photon spin or background radiation detector).

Computers will typically combine two or more sources of entropy. In newer tls version handshakes, the entropy from both, the server and client comes into play. So there’s ways to build defense in depth.

Truerng claims this on 100MB of generated data:

Entropy = 7.999998 bits per byte.

If you can fit this quality on a usb, why didn’t motherboards contain a circuit like that?

Maybe they do on server boards?

That's what RDRAND is - well, it's not the same physical mechanism as TrueRNG, but it is a fast hardware random number generator built into the CPU.

There is a fun generalization of the game. Assume the penny has (unknown) bias p. You want to output a new flip with bias some function f(p). So f(p)=1/2 is what you described, ie how to get a fair flip. For some functions it can be even easier, e.g. f(p)=p^2 - definitely only requires two flips.

How about:

f(p)=p^2/(p^2+(1-p)^2)

f(p)=2p(1-p)

f(p)=3p(1-p)

f(p)=sqrt(p)

The last two are tricky, I took them from a paper "functions arising from coin flipping" by Wastlund. (The quantum generalization is even more fun, but this text box is too small to contain it.)

Wasn’t there a paper that showed it is basically impossible to load a physical coin?

AKA von Neumann debiasing, or the von Neumann trick.

> bang--for-your-buck

Testing for randomness is impossible in the YES/NO sense, so the best we have is statistical test batteries like NIST's 800-22, DieHarder and TestU01.

I own a Truerng and a Onerng, both are under $50. They performed better on Dieharder than my computer's Intel RNG. Not by a huge margin, but still. All 3 passed the minimum requirements of course.

Two are close I think.

A capped webcamera, CCDs pick up enough stray electrons to be reliable source of entropy.

A old cheap radio tuned to static plugged into your microphone port.

https://www.mentalfloss.com/article/81946/7-sources-randomne...

> webcamera, CCDs pick up enough stray electrons to be reliable source of entropy.

Ironically, this is the same setup as the lavalamps, but without having to pay for the lava lamps.

I believe they figured out the lens cap hack when there was a lava lamp failure.

I’m trying to envisage what different lava lamp failures might look like, and I’ve gotta say, there are some entertaining possibilities in that idea.

Both the radio and the CCD seem like something a determined actor could undermine. Transmitting a directional pop of radio static at just the right moment, or whatever causes CCDs to show static (x-rays?)

If the bad guys can point an X-Ray gun at your stuff, random numbers are probably not going to be your biggest issue. :)

If your attacker can stage a sophisticated attack on your entropy source and your budget is $100, you are screwed regardless.

This is not a good idea for the uninitiated and is on par with rolling your own encryption algorithm to send highly sensitive data around the world.

For the price GP mentioned there's a dozen vetted opensource commercial options in the bottom half of that range.

The uninitiated have zero business sending highly sensitive data around the world in general.

And yet they still do it daily. This is why secure-by-default should always be the norm.

$0, your base server or laptop, and getrandom.

Dice? https://www.eff.org/dice

Multi-colored so your own biases don't affect the order you read the dice in. E.g., and I'm just guessing, some people might notice the higher numbers first and read those out.

An ADC, the shittier the better. Turn the gain all the way up. Don't bother plugging a microphone into it. XOR all the bits together. Done.

Just set stuff on fire I suppose.

Maybe this? https://www.amazon.com/dp/B01ENG4UX4/

Dice - for not too many bits, and a low data rate.

Hardware or /dev/urandom (or Windows equivalent) and downstream library calls - many bits, high data rate

A set of casino dice and a 5 gallon bucket.

What's the bucket for?

To throw the dice into!

Fair enough :)

I guess we're still well within budget.

Just hang a microphone outside your window and pick up all the birds chirping and other street noises?

I bet you could find some patterns in street noises, but I'm also not 100% sure what entropy is

I wonder if you could do this in a silent room with a cheap mic and just use the static white noise

I know someone who used that technique at one of the worlds largest banks, back in the 1990s.

Casino grade dice