SoylentNews is people
SoylentNews
Like some kind of space-age Bingo hall caller, a cloud-based API that publicly streams random numbers arrives today, and is being touted by Cloudflare.
The web-distribution giant is enlisting the help of four other organizations and a handful of researchers to create what it calls the League of Entropy, a project aimed at creating and maintaining tools that output random numbers.
The project combines Cloudflare's own LavaRand lava-lamp-based random number generator with EPFL's URand, UChilie's random number generator, Kudelski Security's ChaChaRand, and Protocol Labs' InterplanetaryRand. The combined systems will funnel their random data into an endpoint called Drand, and every 60 seconds it will output a 512-bit value to the world, so that anyone can fetch the digits and use for their random numbers.
[...] "This global network of servers generating randomness ensures that even if a few servers are offline, the beacon continues to produce new numbers by using the remaining online servers."
This is where it should be noted that the public system will not be recommended in any way, shape, or form for use with cryptographic or security-sensitive tools or applications, for obvious reasons. Those who want a stream of private numbers can link up with Drand or the individual beacons directly rather than stream from the public API.
[...] Rather, Cloudflare sees the public strings being used for things like election auditing or scientific research where officials will want true random numbers that can be verified as untouched from the source. You can find more details of this over on the Cloudflare website by the time you read this.
Obligatory xkcd and Donald Knuth's exposition on the challenges of trying to create random numbers.
(Score: 2, Funny) by Anonymous Coward on Monday June 17 2019, @06:44PM (5 children)
So we're just supposed to "trust" them.
(Score: 2, Funny) by Anonymous Coward on Monday June 17 2019, @07:11PM (1 child)
https://dilbert.com/strip/2001-10-25 [dilbert.com]
(Score: 2) by Freeman on Tuesday June 18 2019, @03:43PM
I love me some Dilbert, though sometimes, it can be depressingly accurate.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Interesting) by edIII on Monday June 17 2019, @07:45PM (1 child)
It's worse than that. Usually, you collect randomness (or entropy) from the world directly around you. The source of randomness is as important as its entropy. In order to predict the random numbers being sourced from your environment, they would need a very accurate model of your environment. With the League of Entropy you can be watched to see what you consume, and the LoE can be monitored for its output.
Random numbers need to be high in entropy and secret. What's the difference between this and asking the NSA to send you some high entropy randomness over your fax machine?
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by DannyB on Monday June 17 2019, @08:18PM
How can you know that the NSA isn't behind this idea?
Keeping the random numbers secret is almost as bad as keeping your private keys a secret. Therefore, do away with private keys and use new keyless entry from the NSA. People will like the sound of that.
As for entropy, if these random number generators start to develop small vibrations due to a worn bearing, won't that increase randomness? Or introduce an imposed predictable pattern upon the output?
Outsourcing your random number generation to someone else for free? Managers will like that!
If you think a fertilized egg is a child but an immigrant child is not, please don't pretend your concerns are religious
(Score: 5, Informative) by melikamp on Monday June 17 2019, @08:16PM
The idea is that you can trust a superposition of many independent contributions, because as long as just 1 contributor is honest, robust, and secure, you get your randomness.
Their explanation [cloudflare.com] is waaaay complicated, and I think their process is as well. I actually have a little paper [melikamp.com] on how to do this manually, but nothing in there precludes automation, which is what this project seems to be shooting for.
You need some independent participants, obviously, who will provide randomness, and (optionally) a host to facilitate communication. The steps for generating a random pad are:
1. Each participant generates a random pad of set length, encrypts it with a symmetric cypher, and publishes the cyphertext.
2. Host collates cyphertexts into a single file phase1.tar and publishes it.
3. Each participant saves phase1.tar, verifies that the file contains their entry, signs phase1.tar with public key cypher, and publishes the signature.
4. Host collects all signatures, verifies them, collates phase1.tar and signatures into a single file phase2.tar, and publishes it. No new entries can be added after this point, or else gaming outcome becomes possible.
5. Each participant saves phase2.tar, verifies that their entry is still OK, signs phase2.tar with public key cypher, and publishes the signature.
6. Host collects phase2.tar signatures, verifies them, collates everything again into phase3.tar, and publishes it.
7. Each participant saves phase3.tar, makes sure that all participants have signed it correctly, and then publishes the symmetric key for the original cyphertext entry.
8. Host collects symmetric keys, decrypts entries, XORs them, and publishes the result.
If you can trust just one participant to be honest and competent, you got your bits now :)