PaulCapestany/oi.js

## oi.js
// TLDR:  Oi, Barnes.  We'll miss ya.  Here's a grimy RNG in your honor.
//        node oi.js or paste the below into your favorite browser's JS console.
// DEFCON CHALLENGE:  Break this!

function millis()         { return Date.now(); }
function flip_coin()      { n=0; then = millis()+1; while(millis()<=then) { n=!n; } return n; }
function get_fair_bit()   { while(1) { a=flip_coin(); if(a!=flip_coin()) { return(a); } } }
function get_random_byte(){ n=0; bits=8; while(bits--){ n<<=1; n|=get_fair_bit(); } return n; }

report_console = function() { while(1) { console.log(get_random_byte()); }}
report_console();


//Oi 1.0:  The 'Obviously Incorrect' Random Number Generator
//         (so go break it!)
//   From: Dan Kaminsky
// Greetz: Barnaby Jack -- there's a pile of awesome reasons to name this
//         Oi, but this one's for you.
//   Date:  1-Aug-2013
//   Idea:
//       A man with one clock knows what time it is.
//       A man with two clocks is never sure.
//       Or:  Anyone who thinks computers are deterministic
//       systems has never tried to write realtime code :)
//
//       In 2011, Nadia Heninger et al found that at least 1 of 200 RSA
//       keys on the Internet were crackable due to random number generators,
//       and that generally those RNGs lived on embedded devices.
//
//       Can we do better?
//
//       In the real world, when we need to make a random choice, we don't
//       go out and buy a hunk of radioactive material and stick a
//       Geiger counter next to it.  We just flip a coin.  Coin flipping
//       ultimately is just measuring a slow system (how many seconds
//       does it take for a coin to rise and fall) against a fast system
//       (how many spins, or bit flips, a coin can complete before it
//       lands).
//
//       That can be done in code.  Lets compare janky millisecond timers
//       (1000 cycles/sec AT BEST) to CPUs themselves (millions to
//       billions of cycles/sec).  And, lets just get one bit, heads
//       or tails.
//
//       Interrupts ain't cycle accurate.
//
//       Oi, like Dakarand and Matt Blaze's Truerand before it, might very
//       well not work. But, you know, this is four lines of JavaScript,
//       The Language That Must Never Be Allowed To Do Cryptography
//       Ever Because Ew.  So here's a Defcon challenge, in honor of our
//       fallen friend.  Lets break this!
//
//       Pick any hardware, pick any language.  Even be an
//       active attacker, doing pesky things to available CPU.
//       If you can influence a bit, greater than chance, you
//       win!  I'm sure this fails _somewhere_.
//
//       This isn't a production version of Oi, by any means.  I'm
//       only doing simple Von Neumann debiasing (throwing away
//       any two 'coin flips' that return the same value). I'm not
//       scrambling the output with even a basic hash, allowing
//       an active attacker some access to the direct bitstream.
//       And there's no PRNG, so speed is actually too slow for
//       lots of production uses.  5 seconds in IE6 for 128 bits
//       is too much, for instance.
//
//       But, I wanna give attackers a fighting chance here.  And the
//       more an attack falls to a fifth line of code, the more
//       obvious it is that our threat models perhaps need adjusting.
//
//       This'll definitely fail to a cycle accurate emulator, but
//       anything else is fair game.
//
//Execution:  node oi.js, or paste into a JS console in your favorite
//            browser.
//Note:  You may need a "nicer" emitter of bytes.  Do this.
//report_console = function() { console.log(get_random_byte()); setTimeout(report_console, 0); }


===
Output from ent (unlike diehard/dieharder, ent doesn't emit bad results on small bitstreams):

$ ent rand_js.bin
Entropy = 7.999967 bits per byte.

Optimum compression would reduce the size
of this 7006068 byte file by 0 percent.

Chi square distribution for 7006068 samples is 316.67, and randomly
would exceed this value 0.50 percent of the times.

Arithmetic mean value of data bytes is 127.5564 (127.5 = random).
Monte Carlo value for Pi is 3.139320943 (error 0.07 percent).
Serial correlation coefficient is -0.000659 (totally uncorrelated = 0.0).

===
Simple packer:

#!/usr/bin/python

import sys
import struct


for line in open(sys.argv[1], "r").xreadlines():
  n=struct.pack("B", int(line.rstrip()))
  sys.stdout.write(n)
	// TLDR: Oi, Barnes. We'll miss ya. Here's a grimy RNG in your honor.
	// node oi.js or paste the below into your favorite browser's JS console.
	// DEFCON CHALLENGE: Break this!

	function millis() { return Date.now(); }
	function flip_coin() { n=0; then = millis()+1; while(millis()<=then) { n=!n; } return n; }
	function get_fair_bit() { while(1) { a=flip_coin(); if(a!=flip_coin()) { return(a); } } }
	function get_random_byte(){ n=0; bits=8; while(bits--){ n<<=1; n\|=get_fair_bit(); } return n; }

	report_console = function() { while(1) { console.log(get_random_byte()); }}
	report_console();


	//Oi 1.0: The 'Obviously Incorrect' Random Number Generator
	// (so go break it!)
	// From: Dan Kaminsky
	// Greetz: Barnaby Jack -- there's a pile of awesome reasons to name this
	// Oi, but this one's for you.
	// Date: 1-Aug-2013
	// Idea:
	// A man with one clock knows what time it is.
	// A man with two clocks is never sure.
	// Or: Anyone who thinks computers are deterministic
	// systems has never tried to write realtime code :)
	//
	// In 2011, Nadia Heninger et al found that at least 1 of 200 RSA
	// keys on the Internet were crackable due to random number generators,
	// and that generally those RNGs lived on embedded devices.
	//
	// Can we do better?
	//
	// In the real world, when we need to make a random choice, we don't
	// go out and buy a hunk of radioactive material and stick a
	// Geiger counter next to it. We just flip a coin. Coin flipping
	// ultimately is just measuring a slow system (how many seconds
	// does it take for a coin to rise and fall) against a fast system
	// (how many spins, or bit flips, a coin can complete before it
	// lands).
	//
	// That can be done in code. Lets compare janky millisecond timers
	// (1000 cycles/sec AT BEST) to CPUs themselves (millions to
	// billions of cycles/sec). And, lets just get one bit, heads
	// or tails.
	//
	// Interrupts ain't cycle accurate.
	//
	// Oi, like Dakarand and Matt Blaze's Truerand before it, might very
	// well not work. But, you know, this is four lines of JavaScript,
	// The Language That Must Never Be Allowed To Do Cryptography
	// Ever Because Ew. So here's a Defcon challenge, in honor of our
	// fallen friend. Lets break this!
	//
	// Pick any hardware, pick any language. Even be an
	// active attacker, doing pesky things to available CPU.
	// If you can influence a bit, greater than chance, you
	// win! I'm sure this fails _somewhere_.
	//
	// This isn't a production version of Oi, by any means. I'm
	// only doing simple Von Neumann debiasing (throwing away
	// any two 'coin flips' that return the same value). I'm not
	// scrambling the output with even a basic hash, allowing
	// an active attacker some access to the direct bitstream.
	// And there's no PRNG, so speed is actually too slow for
	// lots of production uses. 5 seconds in IE6 for 128 bits
	// is too much, for instance.
	//
	// But, I wanna give attackers a fighting chance here. And the
	// more an attack falls to a fifth line of code, the more
	// obvious it is that our threat models perhaps need adjusting.
	//
	// This'll definitely fail to a cycle accurate emulator, but
	// anything else is fair game.
	//
	//Execution: node oi.js, or paste into a JS console in your favorite
	// browser.
	//Note: You may need a "nicer" emitter of bytes. Do this.
	//report_console = function() { console.log(get_random_byte()); setTimeout(report_console, 0); }


	===
	Output from ent (unlike diehard/dieharder, ent doesn't emit bad results on small bitstreams):

	$ ent rand_js.bin
	Entropy = 7.999967 bits per byte.

	Optimum compression would reduce the size
	of this 7006068 byte file by 0 percent.

	Chi square distribution for 7006068 samples is 316.67, and randomly
	would exceed this value 0.50 percent of the times.

	Arithmetic mean value of data bytes is 127.5564 (127.5 = random).
	Monte Carlo value for Pi is 3.139320943 (error 0.07 percent).
	Serial correlation coefficient is -0.000659 (totally uncorrelated = 0.0).

	===
	Simple packer:

	#!/usr/bin/python

	import sys
	import struct


	for line in open(sys.argv[1], "r").xreadlines():
	n=struct.pack("B", int(line.rstrip()))
	sys.stdout.write(n)