Can the human brain generate cryptographically secure random numbers?

Question

A security conscious friend of mine was attempting to generate entropy using random dice rolls to generate a random password, and I became curious about the security of random number generators and whether or not she could do the same by simply thinking of random dice rolls. Would it compromise the security of password/key generation to use human-generated random numbers instead of random numbers from a dice or a secure random number generator?

I can see how the standard random number generators included in many programming languages might not be cryptographically secure in known and exploitable ways, but how about the random numbers generated by the brain? When I asked her, she stated that humans were terrible at generating entropy, but I'm not sure that this is the case. How do humans rank in the generation of key entropy and would it be possible for a human mind to take the place of random number generator for key/password generation without being exploitable?

you might want to take a look at this answer to a similar question asked on cogsci.stackexchange.com — lzam, Aug 25 '14 at 22:53
@lzam That answer is interesting and is the kind of thing I was looking for. I still wonder whether the biases described might be able to be mitigated by refining the process. Thank you. — MxSagan, Aug 25 '14 at 23:07
You could use resting heart rate over 15 second intervals. Every increase = 1. Every decrease = 0. There might be some statistical bias, but not much. It would take a while to derive a sufficient number of bits for cryptographic security. — Jeff-Inventor ChromeOS, Aug 26 '14 at 01:57

score 7 · Accepted Answer · answered Aug 25 '14 at 22:59

7

It's plausible that entropy could somehow be generated from brain processes, but doing it directly (e.g., "think of a random number") is, in my opinion, pretty easy to discount.

In a random sequence of bits, the value of any given bit is independent of all other bits in the sequence. However, if you ask a person to generate a random sequence of bits, there's no way to isolate the generation of a bit from the knowledge of which bits preceded it.

answered Aug 25 '14 at 22:59

Stephen Touset

5,784
1
24
38

But is that an exploitable weakness in the process? – MxSagan Aug 25 '14 at 23:04
9

You're thinking about the problem backwards. The burden of proof is to demonstrate that it can't be exploited, not to prove that it can. – Stephen Touset Aug 26 '14 at 00:02

score 7 · Answer 2 · edited Jun 16 '20 at 09:49

Let's explore some possibilities:

Cognitive output forms

1. Numbers

Humans are bad at picking numbers. There is an obvious bias towards odd numbers since they are more exotic. There are polls like this one: Is 17 the “most random” number?

To somewhat mitigate the bias, you could let the person say a long stream of digits (0-9), but the bias will still exist.

2. Letters

Humans have extraordinary language skills ^{[Citation needed]}. This means that there is no way that we won't use them even by accident. It is very likely that after saying T an H will follow for a person with english as the primary language. Don't let me start with the highly biased letter frequency.

3. Boolean

I haven't found anything to support or refute my suspicion, but I think that a stream of 0 and 1 will also be biased. Since pattern recognition have enabled us to survive, we seek order in chaos. This means that it is likely that a person will repeat 0101 many times, but there need to be all sorts of patterns not only one or two present.

Mitigation techniques

1. Actively try to stay away from patterns

This is really hard since humans are bad at probabilities. An indicator for this is the Birthday problem, although it is not really applicable to this question.

2. Hash it

The best way is to hash the output from above with a cryptographically secure hash function like SHA-512. Wikipedia says says that english text has between 0.6 and 1.3 bits of entropy for each character of message. Since the person is trying to say random things, but is not really succeeding, let us assume that 2 bits per letter fits. This means that a person must say at least 256 letters to have enough entropy for a 512 bit key.

Other techniques

Let the randomness come from muscle movements. This is already done in some software solutions to generate high quality randomness, if the system RNG cannot be trusted. The late Truecrypt comes to mind.

The system RNG actually uses things like muscle movements, as each input causes an interrupt. — forest, Mar 15 '18 at 05:55
Also, actively trying to stay away from patterns is one reason people are so bad at this. We all start to "notice" a simple pattern and then adjust our random output. The reality is that we simply give out random numbers with slightly more complex patterns and with less repeats than statistically random! — forest, Mar 15 '18 at 06:33