COMPGROUPS.NET | Search | Post Question | Groups | Stream | About | Register

### shuffling algorithm review

• Email
• Follow

What yall think ?
http://crystalpoker.net/securityreview.php

looking for the best shuffling algortihm to copy for a little project
i'm doing, this one seems like it'd make the best results, just
looking for a few experts' opinions and potential weakness in the
design

i'm not so good at codin though
haha

haha i actually wanna crack this, be tite

 0
Reply joedem (2) 11/30/2005 7:13:41 PM

See related articles to this posting

Joe Damien wrote:
> What yall think ?
> http://crystalpoker.net/securityreview.php
>
> looking for the best shuffling algortihm to copy for a little project
> i'm doing, this one seems like it'd make the best results, just
> looking for a few experts' opinions and potential weakness in the
> design

This design is fairly reasonable.  Its main weakness is that colluding
clients could rig the entropy source and thus make the random number
generator deterministic.  Since they reveal that they are using the
Mersenne Twister, then an attacker in control of all the clients could
in fact simulate the full output.  (The attackers control could be
"spoofing" the mouse position and timers for the client software, or
simply observing the same thing as the client software by intercepting
the OS calls to get that information, and hiding the
intercepting/hacking program behind SONY's rootkit, or something of a
similar nature.)

As always, people who implement in-house solutions ignore the experts
at their peril.  For a more serious RNG Read this:
http://www.schneier.com/yarrow.html .  The crystalpoker.net idea is
fairly good, but doesn't measure up to yarrow.

To make it more secure, I would modify the crystalpoker.net idea.
First you must incorporate server generated entropy with the client
sourced entropy.  In this way *neither* side can rig or observe the
random numbers.  I.e., when each client returned with its "entropy
fragment", the server could take that as an event trigger, and simply
read from its own internal timers and append that as further entropy.

Secondly, as good as the Mersenne Twister is for generating long-cycle
random numbers, I don't think its reliable as a cryptographically
useful PRNG.  I.e., it may be that observing a long enough sequence of
output from MT, one can reverse engineer what the seed values are (I
don't know how true this is or not, but clearly MT was not designed
with this in mind.)  But a straightfoward fix to this is to append 256
bytes of output from the Mersenne Twister at a time to some rotating
buffer (which itself may be somewhat larger than 256), then use SHA-2
(if we consider SHA-1 to be considered broken in the long run) on the
buffer, and use the hash output as the final PRNG output.  In this way
observing the output, it is basically infeasible to reverse engineer
the seeds, except by a direct brute force attack on the seeds
themselves.

But then again, I am not a crypto expert myself.  I would take these
comments as something "even a non-expert can come up with as an
improvment."

But, of course, generating good random numbers might be the least of
the online poker world's problems:

http://www.thisismoney.co.uk/money-savers/article.html?in_article_id=405333&in_page_id=5

--
Paul Hsieh
http://www.pobox.com/~qed/
http://bstring.sf.net/


 0
Reply websnarf (1153) 11/30/2005 8:21:36 PM

<websnarf@gmail.com> wrote in message
> Joe Damien wrote:
>> What yall think ?
>> http://crystalpoker.net/securityreview.php
>>
> As always, people who implement in-house solutions ignore the experts
> at their peril.  For a more serious RNG Read this:
> http://www.schneier.com/yarrow.html .  The crystalpoker.net idea is
> fairly good, but doesn't measure up to yarrow.
>
> To make it more secure, I would modify the crystalpoker.net idea.
> First you must incorporate server generated entropy with the client
> sourced entropy.  In this way *neither* side can rig or observe the
> random numbers.  I.e., when each client returned with its "entropy
> fragment", the server could take that as an event trigger, and simply
> read from its own internal timers and append that as further entropy.
>

Towards the end of the crystalpoker.net article, we're told:

"So before a new deck is shuffled, we use a Mersenne Twister. The data we
provide it with is all this new entropy seed data we've collected from all
the clients and the server's local chipset Timer Stamp Counter."

....which seems to cover that eventuality.

--
Roger


 0
Reply rkww (343) 12/1/2005 9:37:48 AM

In article <1133382096.743139.101890@g49g2000cwa.googlegroups.com>,
websnarf@gmail.com says...

> This design is fairly reasonable.  Its main weakness is that colluding
> clients could rig the entropy source and thus make the random number
> generator deterministic.  Since they reveal that they are using the
> Mersenne Twister, then an attacker in control of all the clients could
> in fact simulate the full output.

As Roger points out, they add entropy from the server.

However, if their business is running poker games for a fee or a
percentage of the pot, if their clients all collude they will just be
organising the payouts between themselves, with no harm to Crystal
Poker!

- Gerry Quinn

 0
Reply gerryq (1329) 12/1/2005 1:04:40 PM

Hey Gerry,
been busy trying to figure this out.
programming is not my strong point
I wish they had some sample code on the website heh.

but blah, i think i'm gonna just contact crystalpoker.net and ask them
to provide some sample code on the article

On Thu, 1 Dec 2005 13:04:40 -0000, Gerry Quinn
<gerryq@DELETETHISindigo.ie> wrote:

>websnarf@gmail.com says...
>
>> This design is fairly reasonable.  Its main weakness is that colluding
>> clients could rig the entropy source and thus make the random number
>> generator deterministic.  Since they reveal that they are using the
>> Mersenne Twister, then an attacker in control of all the clients could
>> in fact simulate the full output.
>
>As Roger points out, they add entropy from the server.
>
>However, if their business is running poker games for a fee or a
>percentage of the pot, if their clients all collude they will just be
>organising the payouts between themselves, with no harm to Crystal
>Poker!
>
>- Gerry Quinn

 0
Reply joedem (2) 12/4/2005 10:51:59 AM

4 Replies
39 Views

Similar Articles

12/12/2013 9:25:12 AM
[PageSpeed]

Similar Artilces:

Poll : do you do peer reviews / code reviews / design reviews
I recently read on Phil Koopman's blog http://betterembsw.blogspot.com/ that peer reviews should be finding approx half of errors and testing find the other half. Where I work we do very few peer reviews of software. We have mostly experienced people and my boss thinks code reviews cost time with not much benefit. I'm wondering how many embedded software places consistently do code reviews of software and how many do little or none? Does the level of review vary according to the experience/ ability of the programmer? Does the design and logic/ correctness of the code get reviewed ...

algorithms
Hey guys, I want to write an algorithm to find smallest and largest element in a set of n elements. And find a method that does roughly 1.5n comparisions of elements. thanks, Rani In <1139107603.385518.322640@o13g2000cwo.googlegroups.com> "Rani" <varsha.purohit@gmail.com> writes: >I want to write an algorithm to find smallest and largest element in a >set of n elements. And find a method that does roughly 1.5n >comparisions of elements. This is a standard problem for an algorithms course. It is not hard at all. Read your course book or, if you are unable to...

Filtered Back Projection Algorithm (FBP Algorithm)
I am trying to code FBP Algorithm using VHDL. Are there are resources where I can cross check my results. Bapaiah Katepalli wrote: > I am trying to code FBP Algorithm using VHDL. Are there are resources > where I can cross check my results. http://www.google.com/search?q=FBP+Algorithm+VHDL ...

Reviews: again!

Algorithms
A while ago, someone in either this ng or a.l.j.p posted a question about converting roman numbers to Arabic numbers. I thought about it for a while and came up with an idea of how it could be done, but I found that my solution was more human oriented than machine oriented. I hope you know what I mean, but if you don't I'll try to explain: If I'm sitting down looking at a problem, I tend to think it through in terms of how I, a human, would do it, like playing chess, or converting XXXVIII to Arabic. Of course, for the most part, many of these problems are just things tha...

Ipod Shuffle 2nd Generation
Does anyone know how the new Ipod Shuffle compare to the original in terms of sound quality. I have read some reviews and they say they sound is inferior. Is this true? cenorthamerica@yahoo.com escreveu: > Does anyone know how the new Ipod Shuffle compare to the original in > terms of sound quality. I have read some reviews and they say they > sound is inferior. Is this true? eh doidaum memo comprei o meu no paragua mais eh baum tmb xike pacarai .... ...

[News] Review of Desktop Virtualization Tools for Ubuntu Linux, Ubuntu Sub-notebooks Review
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Desktop Virtualization Tools for Ubuntu ,----[ Quote ] | All in all, it’s clear that the market for | virtualization solutions targeted at desktop | Linux users is rich and flourishing. While | the traditional staples, VMware and | VirtualBox, remain the most intuitive | options, I wouldn’t be surprised to see | Ubuntu endorse an “official” desktop | virtualization infrastructure based on KVM or | Xen a year or two in the future. `---- http://www.workswithu.com/2010/07/07/desktop-virtualization-tools-for-ubuntu/ Travels With Teo: Linu...

iPod Shuffle fails to play in "shuffle" mode when synced with iTunes 4.9.
Bug Report against iTunes 4.9 ================================================ Title: iPod Shuffle fails to play in "shuffle" mode when synced with iTunes 4.9. Reproduction: -Uninstall current iTunes. -Uninstall current iPod Updater -Reboot -Install iPod Updater 2005-06-26 -Plug in iPod shuffle and perform a restore to fw 1.1 -Safe remove iPod shuffle in USB control panel -Unplug iPod shuffle -Install iTunes 4.9 -Plug in iPod shuffle -Name the iPod shuffle when prompted. -Unselect "Allow iTunes to randomly select...." -Drag songs onto the iPod shuffle -Eject iPod shuffle -...

Hardware reviews
Reviews of latest hardware, graphic cards, monitors, processors, motherboards, hdd, memory... http://tophardware-news.blogspot.com/ ...

morphing algorithms
I was wondering how this is done: http://ca.youtube.com/watch?v=nUDIoN-_Hxs That sure is slick. Anybody know anything about the algorithms? I'm thinking also about those 'aging' programs - where a youth gets morphed into his older self. I have no idea how to tackle that, but I suspect it's similar... -- Rich RichD wrote: > I was wondering how this is done: > > http://ca.youtube.com/watch?v=nUDIoN-_Hxs > > That sure is slick. Anybody know anything about > the algorithms? > > I'm thinking also about those 'aging' programs - > wher...

Review of the literature
Hello teacher! My objective is continue with my topic which is "Metacognitive strategies in Reading Comprehension=94. For this reason, I found this information which is very interesting for my topic and which I can improve my topic. The current explosion of research in second language reading has begun to focus on readers' strategies. Reading strategies are of interest for what they reveal about the way readers manage their interaction with written text and how these strategies are related to text comprehension. Research in second language reading suggests tha...

Clustering Algorithms
hi all, I am doing a project for making a clustering search engine . The problem is that I do not have the right resources to study about clustering algorithms . Can anyone please suggest some good resources to study about clustering - books, url, anything that I can implement using programmig . First of all before beginning any implementation I want to get my theory about the subject correctly. Thanking in anticipation . vaib schrieb: > I am doing a project for making a clustering search engine . The > problem is that I do not have the right resources to study about >...

Algorithmic sentience
Hello everyone, I have, over a number of years, developed a model for computational sentience based largely upon the (ontological) philosophy of Heidegger. The website presenting my (incomplete/unpolished) ideas is here... [url]http://sites.google.com/site/hermesthephilosopher/Home[/url] Simply put, the model proposes that the Interpretation of Entities, in a particular configuration, gives rise to all emergent functions of the brain; object recognition, memory, learning, language, perception, choice etc. I hope people here can enjoy reading it, and please leave any comments you have about...

Hi, I am just reading an article in InformIT about the swap algorithm, and it says something that I believe is wrong. They are showing various implementations of it and the first one looks like this. template<class T> void swap (T& t1, T& t2) { T temp = t1; t1 = t2; t2 = temp; } The article says that this is the implementation used in STL. Now my question is, if this is the implementation that STL does of the swap() algorithm, how come that the algorithm is used for exception safety in assignment operators? This doesn't make much sense to me, so I believe that ...

My Bloodlines review is up...
....if you are interested. http://www.rpg.net/reviews/archive/10/10893.phtml .. Constructive criticism is always welcome. turloughdubh ...

BackPropagation Algorithm
Hi, I'm writing my own Neural Network code (yes, i know there are others that exist) and I'm having a little bit of trouble getting the adjustment of weights with backpropagation to work. I'm using Simon Haykin's, 'Neural Networks, a comprehensive foundation'(pg 175) as a reference for the algorithms, but still am still having trouble. I know my 'run' functionality works as when I hard code the XOR example on the following pages and run the network through the input space it is correct. I'm computing the local gradients in compute_output_erro...

psp reviews
i havea website and i was wondering if i could have some help makeing money on if anyone is interested in making me money go to www.pspreviewsnet.tk and click on the links about 3 times thx On 8 May 2005 06:18:11 -0700, "pancakeman55" <hmschmom4@yahoo.com> wrote: >i havea website and i was wondering if i could have some help makeing >money on if anyone is interested in making me money go to >www.pspreviewsnet.tk and click on the links about 3 times thx Points for honesty... -- Bunnies aren't just cute like everybody supposes ! They got them hoppy legs and tw...

Neocognitron Algorithm
What are the differences between supervised and unsupervised learning in neocognitron algorithm?? Can You give me the algorithm?? Cause I don't understand the algorithm in my refference book. Does neocognitron need target like in backpropagation?? ...

Book reviewed?
Hi, does anyone have any thoughts on the following as a first book? Neural Smithing: Supervised Learning in Feedforward Artificial Neural Networks (Hardcover) by Russell D. Reed, Robert J. Marks II "Con" <conradwt@gmail.com> wrote: > Hi, does anyone have any thoughts on the following as a first book? > > Neural Smithing: Supervised Learning in Feedforward Artificial Neural > Networks (Hardcover) > by Russell D. Reed, Robert J. Marks II I have read a few chapters of that book (I have a copy) and I think it's quite ok for a first book on ANN. -- John ...

iTunes shuffling
Hey! I'm going nuts trying to get this to work. I just got iTunes 5.0 because I was really excited about the "skip when shuffling" feature (seeing as how I have an iTrip). I know for a fact that all my iTrip stations are set to be skipped. However, I still have about half of them that still play. I have no idea what's going on. I'm going ballistic trying to figure out why. PLEASE HELP!!!! Thanks! ...