Randomness sits at the heart of everything we do online. Many encryption algorithms depend upon randomly generated numbers to work, and that’s just one example of many. But how random is random?

It’s a fair question. History has been shown that tools designed to generate random numbers — both physical and virtual — can be prone to failure. In this sense, failure means producing numbers that can be guessed or otherwise influenced in order to produce a certain outcome.

Do you wanna be in my gang?

Each of the organisations taking part in The League of Entropy have their own way of generating random number generators. In the case of Cloudflare, it has an array of lava lamps in its San Francisco headquarters. The unpredictable flow of “lava” (technically parrafin wax) in these lamps is recorded by a camera which transports the data into a pseudorandom number generator, which produces a value.

Data from these organisations will be composited into one random number. The logic follows that several random numbers are more random than one random number.

What makes this so interesting is that it’s designed with resilience in mind, and uses a distributed model. This means that should one of its nodes fall offline, either due to a system’s failure of a deliberate act of sabotage, it’ll continue to work, providing strong random numbers.

Not all random numbers are made equal

So, what’s this for? I got a chance to ask Cloudflare CEO Matthew Prince that very question when I visited him at the company’s airy Lambeth offices.

First things first, the League of Entropy’s random number generator isn’t good for any kind of password or cryptographic seed generation.

“Inherently, this is auditable. You can look back in time and see what the random value generated was,” Prince explained. That means that if you’ve got the value, you can go back in time and potentially re-create a password or cryptographic key.

“On the other hand, if you want to pick winners for a lottery, or do a number of other functions that matter enormously, and you need a way of having a known random source, this is a really valuable tool,” he added.

Prince was eager to emphasize that there are different manifestations of randomness in computer security.

“There are times when having private random generators matter a lot. We build those for ourselves. For the times when you need a public random generator, this is combining a number of different pieces together to verifiably know this is random,” he said.

One advantage of the League of Entropy’s approach is that it removes the potential for a single point of failure. In a hypothetical scenario, should researchers discover one flaw with a random number generator, the existence of the  other four should mitigate against any potential exploitability.

“What’s great about this is even if you have one organisation that’s somehow corrupted or malicious, or is hacked in some way, so long as you have some source of entropy that’s being thrown in, that’ll inherently create a valid random source,” Prince said.

Cloudflare is open to other organisations adding their sources of entropy to the League. In the meantime, if you’re tempted to look at the source code to the Drand too, it’s available to view here. You can also learn how to use the ultra-random numbers in your own applications here.