Open ranweiler opened 7 years ago
kiniry
commented
7 years ago The PRNG used in practice will be stipulated precisely by law or policy. Its seed will be determined procedurally before the election, or at least prior to tabulation beginning, thus we do need a means eventually to input that seed manually as a part of the RLA ritual/workflow.
nealmcb
commented
7 years ago So far most ballot-level risk limiting audits have used Rivest's SHA-256-based sampler library, as described here: https://github.com/cjerdonek/rivest-sampler-tests
Python, Javascript and AngularJS implementations exist as noted there.
I expect we will seed it using some number of dice rolls, e.g. 20 or perhaps 40.
nealmcb
commented
7 years ago Also, FWIW, I can't find good info offhand on what PRNGs Haskell offers. Are you using System.Random or Crypto.Random? The former is inappropriate, and perhaps also the latter which seems to involve OpenSSL's PRNG, and the default one there may be based on MD5. Eeeewwww....
ranweiler
commented
7 years ago @nealmcb, we are currently using the random package, which provides System.Random. This is only meant to temporary, as it is definitely inappropriate for cryptographic use.
Another alternative is the DRBG package, written/maintained by a Galois engineer: https://hackage.haskell.org/package/DRBG
nealmcb
commented
7 years ago For demo purposes, setting a seed, or at least using a fixed seed, is a high priority so we can prepare in advance and know how to mark the ballots and get a reproducible outcome.
ranweiler
commented
7 years ago @nealmcb, noted, I just factored seed selection out into its own issue with a shorter-term milestone.
Right now, when deciding the next ballot to sample, we use the PRNG used in the Haskell
randomlibrary, seeded implicitly via use of the global RNG.