Hotbits vs. Random.org vs. Anything else?

Question

I was searching for a random seed to use with a pseudo-random number generator (not trying to encrypt anything). I went to the following web sites:

https://www.fourmilab.ch/hotbits/secure_generate.html

https://www.random.org/

It appears that Random.org has a solid history and is not experiencing problems with DDoS attacks because they do not require an API key. I obviously would not want to use anything from either of these sites as an encryption key, but does anyone know whether the results from using Random.org are any more or less truly random than what I could get from HotBits with my own API key?

I am mostly trying to make sure that my API key itself is not being used in the generation process. Other than that, I have no major ideas why I would avoid HotBits, outside of the inconvenience of ordering my own API key.

Answer 1

So, while the services you have mentioned are both providing relatively "discreet" randomness, while being publicly accessible, i.e. they don't display on a list all the random values that they have previously generated, I want to also point your attention to the existence of a so-called "public, verifiable randomness".

I am not sure what is your use-case, so please consider this with a grain of salt since it might not fit your needs at all.

What is public randomness?

What we call "public" randomness, is simply randomness that is meant to be public once "released". This kind of randomness is typically useful to say "look, I got nothing up my sleeves, I didn't cheat when choosing the random value".

The range of usecases for such randomness are broader than one might think initially, but it is important to keep in mind that public randomness is meant to be accessible by anybody, so please do not use such randomness to seed any PRNG that is producing secret keys, nonces, TLS stuff, or anything sensitive like that.

What is verifiable randomness?

Verifiable randomness generated in a way that can be somehow "proven" to be safe. This typically includes:

• proof that it wasn't biased
• proof that it wasn't tampered with
• proof that it is properly "pseudo-random"

In general, verifiable randomness must carry some kind of proof that it was properly generated, for a certain definition of "properly".

What for?

So public, verifiable randomness is typically useful when you need to:

• run a lottery, without having the risk of being accused of cheating
• do an election or a sortition at random (think of Jury election, leader election for a consensus algorithm, etc)
• any case where you plan on revealing the randomness after having drawn it, and need to prove you didn't cheat.

Furthermore such randomness is typically found in smart contracts and public ledgers, since it allows to increase the trust in the random value that it was properly generated in a pseudo-random way. However care must always be taken for such system not to use the public randomness in any way that could enable "front-running" by the miners or by bots: as soon as the random data is public, anybody can see "the winning lottery ticket", so to say, and so could submit a winning transaction if this is still possible at the time of production of the randomness. This is something to keep in mind, you typically want to "block" participation a few blocks before the actual public randomness is generated.

Services providing such verifiable public randomness

There are, as far as I know, mostly 2 public services available. (I'm not counting the many VFDs schemes that are flourishing lately)

• NIST very own Random Beacon project, currently in its v2 is leveraging secure hardware, including HSMs, plus a combination of multiple RNGs to produce verifiable, public randomness. See https://beacon.nist.gov/home for more details.

  This prototype implementation generates full-entropy bit-strings and posts them in blocks of 512 bits every 60 seconds. Each such value is sequence-numbered, time-stamped and signed, and includes the hash of the previous value to chain the sequence of values together and prevent even the source to retroactively change an output package without being detected.

  You can easily query their randomness using HTTP endpoints:

  • https://beacon.nist.gov/beacon/2.0/pulse/last
  • https://beacon.nist.gov/beacon/2.0/chain/1/pulse/1801851
  • https://beacon.nist.gov/beacon/2.0/chain/1/pulse/1803851 --> when querying a pulse in the future it will reply with a "Pulse Not Available." webpage.
  • You can also get their certificate to verify their signatures here So, they are using a DigiCert-issued certificate for the SHA256+RSA signature algorithm, with a 4096-bit key, which is fine as per nowadays security standards.
  • The viewer at the end of their webpage might require you to disable your adblocker for it to work, sadly.

  They also have a draft report with more details.

• drand and the League Of Entropy are running a public network relying on threshold BLS so that it suffices that any 12 of their 23 nodes are online for it to continue working and producing reliable public, verifiable randomness. You can also easily query their randomness using HTTP endpoints:

  • https://mainnet1-api.drand.cloudflare.com/public/latest
  • https://mainnet1-api.drand.cloudflare.com/public/1978653
  • or with their other public endpoints: https://api.drand.sh//public/latest
  • The public key is available here: https://api.drand.sh/info, 868f005eb8e6e4ca0a47c8a77ceaa5309a47978a7c71bc5cce96366b5d7a569937c529eeda66c7293784a9402801af31 and it is a BLS public key that allows to verify the signatures
  • currently their signed messages are chained, so you'll need to know the round number and the previous signature in order to verify the beacons. You can find some implementation showing how to do it (e.g. in Rust). They recently released an "unchained" testnet and will migrate to it on mainnet later this year, enabling easier, stateless verification.

  They have the details of their scheme on their website.

So in case you need "public", "verifiable" randomness, these are two options :)

But if you need to generate any kind of secret data using your PRNG, be careful:
DO NOT USE PUBLIC RANDOMNESS TO SEED IT.

For most usecases, as Gilles explained in his answer, relying on your operating system PRNG is sufficient and more secure than seeding your own PRNG with random data. Also, be aware that the PRNG you are using, even if seeded with properly random data might still not be good enough for cryptographic use! E.g. it's fairly easy to reverse Java Random PRNG because it's a plain LCG: https://crypto.stackexchange.com/a/51690/29574

Answer 2

For most uses, a random number needs to be secret. It needs to be something that nobody else knows. It is, by construction, impossible to obtain a random number from some website: the website also knows it.

Every modern computer has a random generator. Even more and more embedded devices have one. Just use that. It's available through your operating system, you don't need to do anything special. Just call getrandom() on Linux, BCryptGenRandom on Windows, /dev/*random on Unix-like operating systems, …

For some uses, a random number can be public, but what's important is that it's demonstrably not chosen by you. For example, lotto winning numbers. You can use a random generation service as a trusted third party to obtain random numbers that are not chosen by you, but then the problem is that you can't demonstrate that the random numbers weren't chosen by you. Even if you could prove that the random numbers were obtained by the service, you might have tried multiple times until you obtain numbers that are favorable to you.

If you need a demonstrably random number, see A source of randomness that anyone can independently, conveniently and robustly access?. That number will be public. If you need a random number that's both demonstrably random, and only known to a restricted set of people, then use a public demonstrably random number and a secret random number generated by you and shared to the restricted set before the demonstrably random number is available as inputs to a key derivation function.

Answer 3

I'm assuming that you're interested in those truly random seeds generated physically as part of a classic TRNG ($H_{in} > H_{out}$), and my answer is tailored accordingly.

I would avoid random.org by virtue of them not publishing exactly how the numbers are generated. "Atmospheric noise" is not a randomness generation and extraction technique in itself. Secrecy $\ne$ randomness. For all we know, they might use some linear congruential generators and lie about it. "We" wouldn't know unless we knew the algorithm(s). Although I have to accept that their numbers do seem statistically indistinguishable from random.

I'd also pretty much rule out the inbuilt CSPRNGs in modern computer kernels, which is what the other answer is alluding to. Since the venerable /dev/random was sabotaged out of existence (not broken), all you have remaining are pseudo random generators and not classic Kolmogorov TRNGs. Do not be fooled by representations that current inbuilt CSPRNGs are the same as ye olde /dev/random. That could create a kosher one time pad. It's replacement and Windows' alternatives cannot. Cui bono? Not the people.

So that leaves two new comers. There's the Ozzie ANU QRNG using vacuum zero point energy, and of course mine at reallyreallyrandom.com using (currently) a web camera.

Since you question the randomness of these sources, you have realised that there are varying levels of randomness in TRNGs depending on their final output entropy bias, $\epsilon$. NIST recommends $\epsilon < 2^{-64}$. I don't have bias figures for the others' RNGs above, but reallyreallyrandom.com's output bias is estimated to be a ridiculous $\approx 2^{-10,000}$. That's simply due to the input output numbers across the randomness extractor in accordance with the left over hash lemma. I just waste a lot of the entropy.

---

We don’t know whether contemporary pseudo random functions like SHA-2 can output blocks with so little bias as it’s impossible to generate the requisite massive data sample for analysis. My question on this matter remains open unfortunately.