Hot on the heels of the news about the League of Entropy, I offer my own analysis of various challenges present in the quest for random bits. Thanks to the exposure of this development by SoylentNews, I dug up my old 2012 proposal and saw that LoE implemented something very similar, but fully automated. Remarkably, it took me some 7 years to realize that my original proposal can be easily adopted for robots, and now I am delighted to share with you a very basic description of the problem, the difficulties, and the implementation details.
And by the way, you may not think that when you see the format, but this is intended as a scholarly article, and it is currently in peer review phase — where it will remain for as long as it is useful — and there are people willing to maintain it. Please feel welcome to offer comments, ideas, corrections via email or xmpp, and I will do my best to create a review journal and credit everyone involved, as appropriate.
Related Stories
Like some kind of space-age Bingo hall caller, a cloud-based API that publicly streams random numbers arrives today, and is being touted by Cloudflare.
The web-distribution giant is enlisting the help of four other organizations and a handful of researchers to create what it calls the League of Entropy, a project aimed at creating and maintaining tools that output random numbers.
The project combines Cloudflare's own LavaRand lava-lamp-based random number generator with EPFL's URand, UChilie's random number generator, Kudelski Security's ChaChaRand, and Protocol Labs' InterplanetaryRand. The combined systems will funnel their random data into an endpoint called Drand, and every 60 seconds it will output a 512-bit value to the world, so that anyone can fetch the digits and use for their random numbers.
[...] "This global network of servers generating randomness ensures that even if a few servers are offline, the beacon continues to produce new numbers by using the remaining online servers."
This is where it should be noted that the public system will not be recommended in any way, shape, or form for use with cryptographic or security-sensitive tools or applications, for obvious reasons. Those who want a stream of private numbers can link up with Drand or the individual beacons directly rather than stream from the public API.
[...] Rather, Cloudflare sees the public strings being used for things like election auditing or scientific research where officials will want true random numbers that can be verified as untouched from the source. You can find more details of this over on the Cloudflare website by the time you read this.
Obligatory xkcd and Donald Knuth's exposition on the challenges of trying to create random numbers.
(Score: 0) by Anonymous Coward on Friday June 21 2019, @09:29AM (2 children)
And if you can't for some reason(s), then all this collaborative generation stuff is probably useless to you too for similar reasons.
The lottery can say they're using those random numbers as a seed but how can you be sure? You still have to trust them. AND you have to trust them in HOW they use that seed too.
In fact having the lottery use a publicly visible physical process (e.g. "juggled/shuffled" balls) to pick their lottery numbers might still be better than some blackbox random generation since:
a) the gamblers can see for themselves whether the degree of randomness is good enough for them
b) potential gamblers might see and have the hope that the stuff isn't 100% random and they can somehow have a better chance than random of winning... ;)
(Score: 2) by Freeman on Friday June 21 2019, @02:15PM
This comment feels too soon, after the recent random number generation article on soylent, but here it is anyway:
Random Number:
https://www.xkcd.com/221/ [xkcd.com]
Tour of Accounting:
https://dilbert.com/strip/2001-10-25 [dilbert.com]
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by HiThere on Friday June 21 2019, @06:25PM
A web cam of a fire is a good source of random numbers. I used to advise an over amplified receiver with no antenna, but these days those are harder to connect...and transistors don't produce as high a quality of noise as vacuum tubes did.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Friday June 21 2019, @12:10PM (1 child)
maybe soon we will all fatigue of green?
(Score: 2) by martyb on Friday June 21 2019, @12:22PM
It's not easy being green.
--Kermit the Frog
=)
Wit is intellect, dancing.
(Score: 2) by takyon on Friday June 21 2019, @12:25PM
Get 'Uncrackable' Quantum Keys [soylentnews.org]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Insightful) by martyb on Friday June 21 2019, @01:23PM (1 child)
I just finished reading the proposal.
1.) Though the intended audience is sure to know what it stands for, as the intent is to persuade the less-knowledgeable general public, too, I would suggest expanding *all* acronyms on first use. For example: PRNG and RUNE.
2.) I see the use of symmetric keys as well as public key encryption, but I fail to see the rationale for using one over the other in each case. That could well be due to my limited understanding of the subject matter. Still, I would appreciate an exposition/explanation of of each of them, the properties significant to the discussion, and the rationale for how it was decided to use each of them in each place-of-use.
3.) Although seemingly tedious, it would help greatly to see the benefits and shortcomings of having 1, 2, and 3 participants in worked-out examples through the proposed mechanism.
All in all, I must say it was quite readable and I found the discussion to be interesting.
Thanks for the story submission!
Wit is intellect, dancing.
(Score: 2) by melikamp on Friday June 21 2019, @03:36PM
(Score: 3, Insightful) by Lester on Saturday June 22 2019, @08:24AM
I'm not sure if it was about this project, but was something similar, the review said: "It's a instresting source of random bits but not intended for cryptographic uses".
But according with the creators, it is a good source for cryptography:
I'm a little astonished. For good cryptography, you need a good source of random bits, unfortunately, it is not always easy to get a good source of entropy. But if you think your local random bits are not reliable, and can be predicted in someway, let alone starting a connection that can be intercepted and then there is no prediction or guessing, but real data. Connection is always the weakest spot, there are a lot of points that can fail, DNS, MiM, Faked CAs.... To begin with, if you random bits are not as random as you think, how do you stablish a secure connection with the external random source? To stablish any TSL you need to generate a random key and/or challenge, so you are going to use your insecure random bits to generate a not random nonce to start a connection to get more a reliable random.!?!?