Where can I get a reliable source of entropy (real randomness byte[])?
Clash Royale CLAN TAG#URR8PPP
Where can I get a reliable source of entropy (real randomness byte)?
Currently, I'm looking for a way to increase the quality of randomness in my Android application (a card game). Previously, it was estimated that for my situation (52! permutation) at least 226 bits of entropy (226 random bits) are needed..
Android
I'm planning to use this byte as a seed for SecureRandom:
byte
SecureRandom
SecureRandom random = new SecureRandom();
random.setSeed(/* insert seed here, byte */)
The question is -- Where can I reliably get random bits in this amount (at least 226 bits) on Android, preferably without requiring any permissions and without internet. Also, it should work regardless of device and API level.
Android
"...preferably without requiring any permissions and without internet..." I very much doubt you can. You'd need permissions to use the mic to pick up ambient noise, for instance, or internet to use
random.org or similar...– T.J. Crowder
Aug 10 at 13:20
random.org
@KlingKlang - But I'm looking for an answer specifically for Android. Is this not correct to state it in the title?
– Serj Ardovic
Aug 10 at 13:20
@KlingKlang - Alright, thank you for your guidance..
– Serj Ardovic
Aug 10 at 13:22
SecureRandom uses /dev/random on Linux and most likely Android.– Peter Lawrey
Aug 10 at 13:24
SecureRandom
/dev/random
2 Answers
2
On Java 8+ you can use
SecureRandom rand = SecureRandom.getInstanceStrong();
To get the strongest randomness available on your platform. To be explicit you can use
SecureRandom rand = SecureRandom.getInstance("NativePRNGBlocking");
which use the entropy of /dev/random on Linux like systems. However, I expect it will fail if not available.
/dev/random
https://www.synopsys.com/blogs/software-security/proper-use-of-javas-securerandom/
Alternatively
You could create randomness based on the user's input by taking a SHA256 or higher of the System.nanoTime() of previous events.
System.nanoTime()
Without being able to access the mic (which would require permissions) or grab bytes from random.org (which would require internet), the only thing that I can think of is the user him/herself: Present a blank square the user moves their finger across, instructing them to do it as randomly as possible, ideally for several seconds, and use that touch data. (I seem to recall an app I used to use — TrueCrypt? — did this.) You might even throw some pseudo-randomness on top of their human-randomness to try to avoid people gaming the system with extraordinarily precise repeatable movements.
random.org
If you relax your requirements a bit, you can probably get some quite good entropy from the mic (ambient noise) and/or accelerometer. And of course, if you request network access, you can download truly random data from http://random.org.
If they don't care about permissions, getting a byte stream from the mic or ACCELEROMETER data, then adding that to a pseudo random number would seem to work well.
– Josh White
Aug 10 at 13:31
Very nice point, perhaps I could generate random bytes based on the actions in the previous round of the game..
– Serj Ardovic
Aug 10 at 13:34
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Please, don't repeat the android tag in the title.
– Kling Klang
Aug 10 at 13:19