Many things on the web use random things to work, and encryption is just one out of the many. The question is: how random is random?
Looking briefly at history, we humans have been long fascinated by random things, because we cannot guess what comes next. It's because randomness is not based on math or science, it's just a pure act of 'randomness'.
The ancients rolled “the bones” to determine their fate, for example. This can be dated back to thousands of years back.
Fast forward to the future, we are still in awe with randomness - both physically and virtually.
From computer security and quantum mechanics to lottery number generation, they all requires some form of randomness. Random numbers are core to the functioning of many complex systems and processes, including electoral auditing and cryptography.
Most of the time, people use random number generators to create random numbers. But these tools can fail. With technology that kept on developing, people can somehow guess or otherwise influence these tools in order to produce expected outcome.
Because not all random numbers are created equal, this is where 'The League of Entropy' wants to solve.
Cloudflare is better known as the internet company providing CDN and DDoS protection software. Here, it has partnered with four other organizations (universities and security companies) to create a tool that has a novel way of creating random numbers.
The League of Entropy is essentially, and also nonetheless, a random number generator. But what makes it unique is that, the tool follows the logic that several random numbers are more random than one random number.
- Cloudflare creates its random numbers using lava lamps in its headquarters. The flow of “lava” (parrafin wax) inside these lamps is known to be unpredictable. The company recorded the flow using a camera, which then transports the data into a pseudorandom number generator, which produces a value.
- The University of Chile get its random numbers based on several sources which are queried every minute. This includes the Ethereum blockchain, selected Twitter activity, data from a local radio station, a random number generator card, and local seismic activity.
- The École Polytechnique Fédérale de Lausanne (EPFL) creates random numbers using the local randomness generator present on every computer at /dev/urandom. The randomness input is collected from inputs such as keyboard presses, mouse clicks, network traffic, etc.. It then bundles these random inputs to produce a continuous stream of randomness.
- Kudelski Security creates its random numbers using a CRNG (Cryptographic Random Number Generator) based on the ChaCha20 stream cipher.
- Protocol Labs uses the power of entropy to ensure protocol safety using environmental noise and the Linux PRNG, supplemented by CPU-sourced randomness.
To share the random numbers, the League of Entropy uses a program called Drand (https://github.com/dedis/drand), a distributed service providing public randomness in an application-agnostic, secure, and efficient way. It was developed and written in Google’s Go programming language by researchers at the EPFL.
Data generated from these organizations are then composited together into one "truly" random number.
Explaining the project, Cloudflare said that:
"A decentralized randomness beacon combines randomness from multiple independent high entropy sources to generate a truly unbiased random number for anyone that may need a public source of randomness."
"This is the first time ever that a randomness beacon is run by several organizations in concert."
What makes this project interesting is that the decentralized randomness beacon uses multiple independent and distributed model of verifiable randomness, designed with resilience in mind.
This essentially removes the potential for a single point of failure.
In a hypothetical scenario, if one of the node fail or goes offline, either due to a system’s failure of a deliberate act of sabotage or flaw, the system can continue to work, as other nodes can mitigate potential exploitability.
"There are times when having private random generators matter a lot. We build those for ourselves. For the times when you need a public random generator, this is combining a number of different pieces together to verifiably know this is random," explained Cloudflare CEO Matthew Prince.
"What’s great about this is even if you have one organization that’s somehow corrupted or malicious, or is hacked in some way, so long as you have some source of entropy that’s being thrown in, that’ll inherently create a valid random source."
Cloudflare's project is open for other organizations that want to add their sources of entropy to the League.