Decentralized Randomness and the League of Entropy
When I heard of drand, a distributed randomness beacon daemon, my nerd-o-meter lit up. What is it, why do we need it, how random is it, and why is it distributed or decentralized?
Decentralized vs distributed
First off, I will often conflate the terms "distributed" and "decentralized". Distributed computing often refers to networked systems of CPUs which each process a slice of a whole computation (e.g. trying one unique hash to crack a password). Decentralized means there's no single special point of control or authority. Both terms can describe drand and how it produces random values.
A random walk
Wait, but what do we even mean by randomness? Randomness is statistically randomly distributed but, more importantly, unpredictable. Knowing the most recent value(s) give(s) no indication of the next value(s). Stock prices are often said to be unpredictable for a given time scale and are said to move in a "random walk" over a period, going up and down in an unpredictable manner. Likewise, a coin toss's outcome should be random as should 100 coin tosses in a row, despite any expectation of outcome distribution among the 100.
Vegas was built on randomness
So why is randomness useful? Critical components of our modern digital world rely on an assumption of randomness to be safe and trustworthy. Randomness is key in cryptography where a random seed prevents an attacker from intercepting encrypted communication. Random values are used in games to make them fun, but also to make them fair. Poker relies on a random shuffling of cards. Otherwise, winning would be a simple matter of memorizing the order the cards are in. A number of electronic gambling devices at casinos around the world were "beaten" by punters who realized their internal random number generators [RNGs] were not actually random. Casinos require state inspectors to ensure that a machine's random number generator is truly random and fair.
Do we really need governments to ensure digital randomness?
Randomness is also critical in statistics where a pattern or predictability can be exploited to game the outcome. In the US, failed randomness has led to things like black defendants being tried by a completely white jury rather than a jury of (randomly selected) peers.
How hard is it to make a random number?
If a computer spit out: 5 0 3 9 2 2 7 6 1
Would you be convinced it was random? You might. But computers can spit out random looking strings of numbers which are actually predictable just by knowing the "seed" value and the algorithm used. These are called pseudo random number generators (PRNGs). In a pinch, this may be sufficient for a kid's game with no consequences for getting hacked. For serious applications, we need serious randomness. All the serious random number generators I know of use unpredictable aspects of physical reality and convert those into digital values.
Random.org is a website that has been giving away free random numbers since the late 90s. It gets its randomness from radio static as a proxy for random atmospheric conditions. This source of randomness is also called a source of entropy.
Lava lamp blob shapes are thought to be random. So Cloudflare uses a wall of lava lamps watched by digital cameras as a source of entropy to feed into their random number generators.
The League of Entropy
Cloudflare is also a founding member of the League of Entropy along with some universities and Protocol Labs (builders of IPFS), foundations (like the Ethereum Foundation), non-profits, and private enterprises (including security companies).
The League are the ones powering the nodes which provide decentralized and distributed sources of entropy for random number generation. One member uses keyboard and mouse click events as entropy to produce random numbers, something every computer can already do itself (Linux does this) but not in huge amounts. Maybe you were asked to bang on a keyboard to produce an ssh key in the past. Another source of entropy is seismic activity in Chile.
These various sources of entropy can be used together like Voltron to create a bigger, more powerful source of entropy. And one source can go down (or get hacked!) while the rest of the network maintains random number generation. The total amount of entropy is high enough for most use cases. And more nodes can join as operators and provide more entropy.
Users of this service can get new numbers every minute. You can get numbers publicly or privately. For cryptographic uses, you would want private numbers otherwise an attacker could snoop on your communication by combining the seed and the algorithm you were known to be using. For provably fair gaming, you would use public numbers.
A drand randomness beacon is composed of a distributed set of nodes and has two phases: Setup: Each node first generates a long-term public/private key pair. Then all of the public keys are written to a group file together with some further metadata required to operate the beacon. After this group file has been distributed, the nodes perform a distributed key generation (DKG) protocol to create the collective public key and one private key share per server. The participants NEVER see/use the actual (distributed) private key explicitly but instead utilize their respective private key shares for the generation of public randomness. Generation: After the setup, the nodes switch to the randomness generation mode. Any of the nodes can initiate a randomness generation round by broadcasting a message which all the other participants sign using a t-of-n threshold version of the Boneh-Lynn-Shacham (BLS) signature scheme and their respective private key shares. Once any node (or third-party observer) has gathered t partial signatures, it can reconstruct the full BLS signature (using Lagrange interpolation). The signature is then hashed using SHA-256 to ensure that there is no bias in the byte representation of the final output. This hash corresponds to the collective random value and can be verified against the collective public key.