Like some kind of space-age Bingo hall caller, a cloud-based API that publicly streams random numbers arrives today, and is being touted by Cloudflare.
The web-distribution giant is enlisting the help of four other organizations and a handful of researchers to create what it calls the League of Entropy, a project aimed at creating and maintaining tools that output random numbers.
The project combines Cloudflare's own LavaRand lava-lamp-based random number generator with EPFL's URand, UChilie's random number generator, Kudelski Security's ChaChaRand, and Protocol Labs' InterplanetaryRand. The combined systems will funnel their random data into an endpoint called Drand, and every 60 seconds it will output a 512-bit value to the world, so that anyone can fetch the digits and use for their random numbers.
[...] "This global network of servers generating randomness ensures that even if a few servers are offline, the beacon continues to produce new numbers by using the remaining online servers."
This is where it should be noted that the public system will not be recommended in any way, shape, or form for use with cryptographic or security-sensitive tools or applications, for obvious reasons. Those who want a stream of private numbers can link up with Drand or the individual beacons directly rather than stream from the public API.
[...] Rather, Cloudflare sees the public strings being used for things like election auditing or scientific research where officials will want true random numbers that can be verified as untouched from the source. You can find more details of this over on the Cloudflare website by the time you read this.
Obligatory xkcd and Donald Knuth's exposition on the challenges of trying to create random numbers.
(Score: 4, Informative) by pipedwho on Tuesday June 18 2019, @12:03AM (2 children)
This random number is NOT intended for secrets as seems to be assumed by most of the above posts. It is intended as an auditable trail for random generation when a publicly chosen random number is needed that can be shown to have not been spoofed by the selecting party.
For example, let's say the next round of AES style crypto functions needs a unique seed for a curve that contains sufficient entropy so it can be shown as to unlikely contain a mathematicaly derived trapdoor. This sort of entropy source is a good choice as it can't be spoofed apriori.
This is not intended to seed your password generator, ephemeral crypto keys, or any other secret that you don't want exposed.
(Score: 2) by Rupert Pupnick on Tuesday June 18 2019, @08:49PM (1 child)
Thanks for pointing this out. It was at the bottom of TFS and I missed it.
It would seem that a rotating cage full of numbered ping pong balls would meet this requirement, just not as frequently or conveniently.
(Score: 2) by pipedwho on Wednesday June 19 2019, @12:57AM
Interestingly, for something like a lottery, this system could be used to show that next series of random numbers that make up the lottery winning numbers are derived from multiple trusted sources, where only one needs to be trustworthy to guarantee a truly random outcome. This allows everyone to audit the result of the lottery and remove any bias that may be introduced by a faulty (or rigged) ball dropping box. The ball dropping box could be added to it as a further source of entropy, and any bias it introduces would be automatically cancelled by other better random sources.