Like some kind of space-age Bingo hall caller, a cloud-based API that publicly streams random numbers arrives today, and is being touted by Cloudflare.
The web-distribution giant is enlisting the help of four other organizations and a handful of researchers to create what it calls the League of Entropy, a project aimed at creating and maintaining tools that output random numbers.
The project combines Cloudflare's own LavaRand lava-lamp-based random number generator with EPFL's URand, UChilie's random number generator, Kudelski Security's ChaChaRand, and Protocol Labs' InterplanetaryRand. The combined systems will funnel their random data into an endpoint called Drand, and every 60 seconds it will output a 512-bit value to the world, so that anyone can fetch the digits and use for their random numbers.
[...] "This global network of servers generating randomness ensures that even if a few servers are offline, the beacon continues to produce new numbers by using the remaining online servers."
This is where it should be noted that the public system will not be recommended in any way, shape, or form for use with cryptographic or security-sensitive tools or applications, for obvious reasons. Those who want a stream of private numbers can link up with Drand or the individual beacons directly rather than stream from the public API.
[...] Rather, Cloudflare sees the public strings being used for things like election auditing or scientific research where officials will want true random numbers that can be verified as untouched from the source. You can find more details of this over on the Cloudflare website by the time you read this.
Obligatory xkcd and Donald Knuth's exposition on the challenges of trying to create random numbers.
Related Stories
Hot on the heels of the news about the League of Entropy, I offer my own analysis of various challenges present in the quest for random bits. Thanks to the exposure of this development by SoylentNews, I dug up my old 2012 proposal and saw that LoE implemented something very similar, but fully automated. Remarkably, it took me some 7 years to realize that my original proposal can be easily adopted for robots, and now I am delighted to share with you a very basic description of the problem, the difficulties, and the implementation details.
And by the way, you may not think that when you see the format, but this is intended as a scholarly article, and it is currently in peer review phase — where it will remain for as long as it is useful — and there are people willing to maintain it. Please feel welcome to offer comments, ideas, corrections via email or xmpp, and I will do my best to create a review journal and credit everyone involved, as appropriate.
(Score: 2, Funny) by Anonymous Coward on Monday June 17 2019, @06:44PM (5 children)
So we're just supposed to "trust" them.
(Score: 2, Funny) by Anonymous Coward on Monday June 17 2019, @07:11PM (1 child)
https://dilbert.com/strip/2001-10-25 [dilbert.com]
(Score: 2) by Freeman on Tuesday June 18 2019, @03:43PM
I love me some Dilbert, though sometimes, it can be depressingly accurate.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Interesting) by edIII on Monday June 17 2019, @07:45PM (1 child)
It's worse than that. Usually, you collect randomness (or entropy) from the world directly around you. The source of randomness is as important as its entropy. In order to predict the random numbers being sourced from your environment, they would need a very accurate model of your environment. With the League of Entropy you can be watched to see what you consume, and the LoE can be monitored for its output.
Random numbers need to be high in entropy and secret. What's the difference between this and asking the NSA to send you some high entropy randomness over your fax machine?
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by DannyB on Monday June 17 2019, @08:18PM
How can you know that the NSA isn't behind this idea?
Keeping the random numbers secret is almost as bad as keeping your private keys a secret. Therefore, do away with private keys and use new keyless entry from the NSA. People will like the sound of that.
As for entropy, if these random number generators start to develop small vibrations due to a worn bearing, won't that increase randomness? Or introduce an imposed predictable pattern upon the output?
Outsourcing your random number generation to someone else for free? Managers will like that!
The people who rely on government handouts and refuse to work should be kicked out of congress.
(Score: 5, Informative) by melikamp on Monday June 17 2019, @08:16PM
The idea is that you can trust a superposition of many independent contributions, because as long as just 1 contributor is honest, robust, and secure, you get your randomness.
Their explanation [cloudflare.com] is waaaay complicated, and I think their process is as well. I actually have a little paper [melikamp.com] on how to do this manually, but nothing in there precludes automation, which is what this project seems to be shooting for.
You need some independent participants, obviously, who will provide randomness, and (optionally) a host to facilitate communication. The steps for generating a random pad are:
1. Each participant generates a random pad of set length, encrypts it with a symmetric cypher, and publishes the cyphertext.
2. Host collates cyphertexts into a single file phase1.tar and publishes it.
3. Each participant saves phase1.tar, verifies that the file contains their entry, signs phase1.tar with public key cypher, and publishes the signature.
4. Host collects all signatures, verifies them, collates phase1.tar and signatures into a single file phase2.tar, and publishes it. No new entries can be added after this point, or else gaming outcome becomes possible.
5. Each participant saves phase2.tar, verifies that their entry is still OK, signs phase2.tar with public key cypher, and publishes the signature.
6. Host collects phase2.tar signatures, verifies them, collates everything again into phase3.tar, and publishes it.
7. Each participant saves phase3.tar, makes sure that all participants have signed it correctly, and then publishes the symmetric key for the original cyphertext entry.
8. Host collects symmetric keys, decrypts entries, XORs them, and publishes the result.
If you can trust just one participant to be honest and competent, you got your bits now :)
(Score: 3, Funny) by NotSanguine on Monday June 17 2019, @06:55PM (5 children)
Can I join the "League of Entropy"?
Do we get to wear capes and stuff?
Here we go!
$ cat /dev/urandom |nc -l 7337
Boo Yah!
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Informative) by EvilSS on Monday June 17 2019, @07:42PM
(Score: 2) by istartedi on Monday June 17 2019, @07:47PM
Can I join the "League of Entropy"?
I'll flip. You call heads or tails.
Appended to the end of comments you post. Max: 120 chars.
(Score: 3, Funny) by Megahard on Monday June 17 2019, @09:43PM
A picture of my office should get me in.
(Score: 2) by Runaway1956 on Tuesday June 18 2019, @04:10PM (1 child)
Is your $ CAT dead, or alive? How will the randomness be affected, by either condition?
(Score: 2) by NotSanguine on Tuesday June 18 2019, @04:23PM
Both of my felines are alive and well, thanks.
And that has no bearing on /dev/urandom on any of my systems.
But I still want to wear a cape and tights!
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by Rupert Pupnick on Monday June 17 2019, @07:47PM (1 child)
I really wish they’d stop using the word “entropy” to represent the idea of randomness. Randomness is a concept that’s closer to “noise” or “uncertainty”, especially in terms of implementation.
How hard it is to produce randomness is a matter of degree. If you are trying to create a high grade broadband laboratory noise source, it’s hard. To use as a seed for cryptography, not so much.
(Score: 3, Funny) by HiThere on Monday June 17 2019, @07:59PM
A decent quality, not lab grade, is actually pretty easy. Just take the float time, divide by 111.1, interpret that float as an integer, an then take that value mod whatever modulus you need. It's sure not technically perfect, but it's random enough for nearly everything I need it for. (For most things just using the current time as a seed is good enough.)
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 1, Interesting) by Anonymous Coward on Monday June 17 2019, @08:01PM (1 child)
So the argument is "what good is a secret if the world knows it?"
Except this effort is not pointless. Randomness has the weird behavior that you can only increase it, not decrease it. You can take any two pieces of random data, xor them together, and at worst the result is "only as random as one of them." It is never less random as a result.
So you can take your own source of randomness, combine this one is as another source, and have something which is better (or at least no worse) than what you previously had. As long as you don't depend on this alone, it will make things harder even for a state-sponsored attacker (as they need to cross reference timestamps, algorithms, etc), and for most casual and semi-casual usages it would be better.
I still think it's a bit silly, but it's not completely useless... and who knows, maybe it will lead to something amazing.
(Score: 2) by urza9814 on Monday June 17 2019, @08:19PM
Assuming everything is implemented correctly. But that assumption is typically where security fails.
How many coders do you trust to actually understand that and implement it properly, vs how many code monkeys will either use this as a sole primary or fallback source, or as a way to get more entropy by simply appending the data instead of xor-ing it, or some other manner of stupidity?
Also be aware that the note in TFS about not using this for cryptography comes from the article, not the "League of Entropy" itself. If you look on the cloudflare site, they explicitly advertise it as a high quality entropy source for cryptographic applications, and claim it's more secure than any of the alternatives. So how may code monkies are going to pick the single "best, most secure" number generator and be done with it? After all, combining multiple sources is what LoE does already, so why reinvent the wheel in your own code? (Heck, at least half these guys will be sitting there going "Hey, that's a great idea! Glad they're doing it for me!") How easy would it be to compromise those systems by keeping a log of the LoE entropy readings? At 512 bits every 60 seconds, you'd need around a hundred gigs per year to store the whole thing. A friggin' highschool student could put that together.
(Score: 2) by Rupert Pupnick on Monday June 17 2019, @08:19PM
Or you could always go down to the local bar, get a cold one, and start writing down Keno numbers. Scale and format as desired, perhaps with a smartphone app someone could write.
You know those lottery guys have too much money at stake to mess it up.
(Score: 0) by Anonymous Coward on Monday June 17 2019, @08:54PM (1 child)
Dilbert "Tour of accounting" [dilbert.com], and Xkcd's "Random Number" [xkcd.com].
(Score: 2) by Freeman on Tuesday June 18 2019, @03:46PM
The xkcd you mentioned was included in the summary, and the 2nd post (a reply to the first post) included the Dilbert you mentioned as well.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0, Troll) by Bot on Monday June 17 2019, @10:10PM
Why keep using intrinsically deterministic machinery to come up with randomness, when you have literally billions of perfectly random sources of behavior
?
Account abandoned.
(Score: 0) by Anonymous Coward on Monday June 17 2019, @10:17PM
.. there are wilder examples .. https://en.m.wikipedia.org/wiki/Global_Consciousness_Project [wikipedia.org]
(Score: 2) by SemperOSS on Monday June 17 2019, @10:28PM
Always nice to see the community spirit spread into the tech sector with random acts of goodness.
I don't need a signature to draw attention to myself.
Maybe I should add a sarcasm warning now and again?
(Score: 2) by The Shire on Monday June 17 2019, @10:31PM
Essentially, if it's known when the number was fetched then the seed value is also known. This reduces the complexity of determining the key that seed was used to generate. You cannot increase entropy by providing known seed values. And if you're trying to generate large numbers of keys, then all those keys will be based on a single known seed value since that number is only changed every 60 seconds.
It's far more practical to generate your seed values locally. In fact, you're better off pulling a random value from global weather reports - barametric pressure, rainfall, windspeed at a random location than using their value.
Bottom line, it's pointless to have a "random" seed that changes infrequently (in terms of computer speed) and is available to world. It's trivial for anyone to keep a list of of the 86,400 seeds generated each day along with their timestamps for later reference.
(Score: 4, Informative) by pipedwho on Tuesday June 18 2019, @12:03AM (2 children)
This random number is NOT intended for secrets as seems to be assumed by most of the above posts. It is intended as an auditable trail for random generation when a publicly chosen random number is needed that can be shown to have not been spoofed by the selecting party.
For example, let's say the next round of AES style crypto functions needs a unique seed for a curve that contains sufficient entropy so it can be shown as to unlikely contain a mathematicaly derived trapdoor. This sort of entropy source is a good choice as it can't be spoofed apriori.
This is not intended to seed your password generator, ephemeral crypto keys, or any other secret that you don't want exposed.
(Score: 2) by Rupert Pupnick on Tuesday June 18 2019, @08:49PM (1 child)
Thanks for pointing this out. It was at the bottom of TFS and I missed it.
It would seem that a rotating cage full of numbered ping pong balls would meet this requirement, just not as frequently or conveniently.
(Score: 2) by pipedwho on Wednesday June 19 2019, @12:57AM
Interestingly, for something like a lottery, this system could be used to show that next series of random numbers that make up the lottery winning numbers are derived from multiple trusted sources, where only one needs to be trustworthy to guarantee a truly random outcome. This allows everyone to audit the result of the lottery and remove any bias that may be introduced by a faulty (or rigged) ball dropping box. The ball dropping box could be added to it as a further source of entropy, and any bias it introduces would be automatically cancelled by other better random sources.