 Thank you. Yeah, thank you. Hello everyone. So yeah, I'm super happy to be back on stage after all these years without Conferences, it's super nice to be able to present again. And so yeah, so as pure David said I'm currently a software engineer working on randomness I used to be an applied cryptographer looking at other software engineers code and even nightmare about what I saw You know, so I'm here to make it sure to make sure that you want to do the same mistakes when it comes to randomness as what I saw in the past And I'm also super happy to Play the city of tomorrow. I well tonight already and yeah, let's start so Today we'll discuss about what is randomness and its different flavors Next we'll go We'll talk about why do we even need randomness When do we use it why and so on? We'll see what are the problems with randomness and why it's hard and finally we'll see how we do good randomness in practice and What remains to be done? So what is randomness? If you look up in the dictionary That's a quality of being random Great They go on and we find a bit saying So that's a quality of being random happening done or chosen by chance rather than according to a plan That's not exactly how we see randomness in computer sciences, right? So I found another dictionary which has a bit of a better definition So randomness is the quality or state of lacking a pattern And here there is a very important word. It's it says Unpredictability and we'll see why it's very important later on so Here I've picked a few random strings binary strings 37 bits we can tell me if the first one is random doesn't look random, right? So how about the second one is it random? probably The third one doesn't look random neither, right? So probably not random The first one looks random But if you look at the X-I decimal representation, it doesn't look random anymore The last one also definitely doesn't look random. So What that means is that even though all of these 37 bits random strings if the same probability of being grown at random We have some kind of intuition of what's random and what's not, right? so We'll see what that intuition actually means right now and When we talk about randomness we have a way to formalize it a bit We use a Kolmogorov complexity to look at randomness and say oh that looks random or oh that doesn't look random and Kolmogorov complexity of a string is basically a way to see if you can compress it You know how much can you compress the old one binary string well a lot because it's only once So you just say oh it's 37 times one and you've compressed it On the other hand if you've got a truly random value. It's way more difficult to compress in a general manner, so that's the intuition we have about randomness and It's going to yeah That's also why we want about randomness, right? Being able to Not easily Guess what's next and so on and we'll see what? Unpredictability and bias or later on so next is You know my talk is about public verifiable Distributed randomness and you might be asking yourself. What are all those? Keywords right so public randomness is basically just a value that is random But that is that is meant to be public like think of lotteries if you You know buy a ticket you choose your numbers at some point They will draw the winning tickets by drawing a random value and that random value is public anybody can look it up and see oh, that's the winning number for today's lottery and That's really what public randomness is about it's Something you want everybody to be able to access and use for their own needs whatever it is bid for I don't know like a lottery game like if you want to have some kind of gambling and so on and Next we'll make the difference between public and secret randomness because Public randomness is cool But I guess you've all UB keys SSH keys PGP keys on your computers, right? And these are secret keys that are not meant to be public So if you take a public value a public random value and use that value to produce your secret key That's not going to work well So we also have the notion of secret randomness that is meant to stay secret and that's typically the one we'll use for Cryptography stuff like generating key material nonces or number that are meant to be used only once On so on so it's super important to keep that in mind do not never use public randomness to generate secret keys Seems obvious, right? So next Public randomness is cool, but do you know it's actually random, right? We've seen earlier. It's very difficult to have an intuition of what's random and what's not and even though we have one We might have some doubts about, you know, like the honesty of the person in front of us like if you create a Tombola game and you give tickets to everybody and then one of your good friends win the tombola People might be like hey, you cheated. So that's not something you typically want when you do something public like on a Blockchain typically you have smart contracts which need random values or in the lottery ecosystem on For other use cases as well so What we need next is a way to verify the randomness and very fiable randomness is just that it's around it's a public random value that's That you can verify somehow That's typically done using hashes signatures or complex cryptography and We'll touch on the ways to do it when we'll see the concrete instantiation in the in practice port of my talk and Finally, we got the distributed keyword in the title and distributed randomness is just like what you think it is when you hear it it's a random value that Was achieved like that was created by a Distributed system and that distributed system needs to achieve consensus and the random value because otherwise It's not going to be a good Distributed system if each node has different, you know values at the same time in point And that's very difficult to do because you want your randomness to be Unpredictable but at the same time you want all of your nodes in your network to be able to Generate the same value at the same moment. So how do you make it so that it's, you know, unpredictable, but still Generated on time by all nodes and that's again a very difficult task and blockchain system They've struggled with that if you look at Ethereum for example smart contracts on Ethereum if a very hard Time trying to generate random values and if you look at other distributed systems usually what you'll find is that you have some kind of Trusted third party providing the randomness and that's not too great because you need to trust somebody and decentralized decentralization and Distributed system usually try to decentralize trust, you know So we don't want to trust a single third party about anything even our random values so That's going to be a short section But why do we need randomness? Well, I spoke about lotteries and gambling already. These are like abuse Things other things you could think of is like jury election or Sortition and these are the kind of things where you really like need proper Public randomness probably because you wanted to be Publicly auditable and so you wanted to also be verifiable as well Next you obviously have all the Cryptographic protocols if you connect to a website nowadays your computer is probably generating between two and five Random values just for the initial connection, you know, like generating ephemeral keys noncees and That's a lot of secret randomness obviously Next we have the abuse case of statistics and Control trials in medicine if you can, you know, if you have a bias distribution when you pick your sample the results of your study won't be really good and it won't be Yeah, what you want it to be so you need good randomness there as well without any bias and Finally, we use it a lot in software in general like if you do fuzzing Chaos monkey and so on you also want to take random values, but these values can be generated by Some that by a PRNG pseudo random number generator that's going to be seeded in a way that's Repeatable so you it can be Deterministic it doesn't need to be secret. It doesn't need to be public, but it still needs to be uniformly Distributed in the Wow In the values you're interested in so next we'll look into what are the problems we have with randomness because Randomness seems easy right you just take a random value and you're done. So why is the problem? and I've talked about this a lot already, but Randomness is difficult because you want it to be unpredictable and bias resistant I Mean being unpredictable It kind of obvious if you can predict the next lottery tickets you can win it or if you can predict the loot You'll get in a game you you can cheat and so on so it makes sense, right? But the bias resistance thing is a bit less obvious and actually for cryptographic Algorithms, it's super important because the most used signature scheme nowadays is probably easy CdSA it's used for TLS. It's used on Bitcoin ethereum and a lot of new Systems nowadays are running using elliptic curve cryptography on signature scheme such as ecdSA are super sensitive to bias You will typically get a take at random a 256 bits Value well if you have just one bit that is bias or three bits. It's already a Potential vulnerability that could leak your private key So leaking the private key is the most catastrophic thing that can happen it for a cryptographic system You really don't want that to happen. So it's super important to a really unbiased random values for such cryptographic schemes and I Guess a lot of you have already Developed something where you needed a random number, right? So, how do you do that if you want a number between 0 and 255? That's easy, right? You take a random byte you can call your block device you run them to get Random byte out of your machine entropy pool and you get a value between 0 and 255 Now it gets trickier if you want a value between 0 and 106, right? Or do you do that? Well the typical way people will do that is taking a random byte and Then reducing it modulo the values. I want to be the limit, right? So here if I reduce it modulo 107 I'm happy because every numbers up to 106 will be will stay the same And then 107 will become 0 108 will become 1 everything is mapped You know on to the range you want to to query from but that's actually an issue because you don't have a multiple of 107 Amongst the 256 possibilities you can get from a random byte. So what you've just done here is Introducing a modulo by us Because for the first 107 106 Values that's fine. The next 106 values. It's fine again, but once you reach 214 up to 255 these are going to be mapped Towards the first 42 first values And so you get bias randomness and it's super easy to get bias randomness because you just Picked a random value, which was good. You reduced it modulo the value You wanted to reduce it to and certainly it's not a good random value anymore and This is leaking your private key already if you're signing stuff with a value that was generated in that way And so the best way to avoid such bias is obviously to not Do it yourself and rely on your cryptographic library Python as a secret manual signed since Peton 3.6 go and rest a very good Random generator Functions, but in general if you need to do it yourself What you want to do is rely on so-called Rejection sampling where you will pick a value at random See if it's in the runt you want if it is then you're fine If not you reject it and you pick a new one against at random and that's going to be uniformly Distributed and it's not going to be biased and I've got the cooling to guide to modulo bias and auto avoid it It's a blog post. I've wrote like two or three years ago, and if you want to check it out I we come and you read it so now We've seen this cool different kind of randomness Let's see. Oh We can solve the issue of public verifiable Distributed randomness, right? So if we look a bit at the history of public random randomness We can see that Michael Rabin already proposed the use of random beacons and that's Where the beacon word comes from in 1993 to secure transactions Well, that was before Bitcoin and before blockchain So these transactions are not the same as the transaction. We might be looking at nowadays, but the base idea was the same as what we have now and and what he says in his paper is that it is impossible without a trusted third-party and That's something we are actually going to challenge in a bit Next we can see in 1998 a website such as random that org that offers a random number generator or anybody can use and they are Getting their randomness from the atmospheric noise physical process good on trophy. Everybody's happy, right? Well, do you verify it was actually taken from atmospheric noise? you cannot and So you have to trust them and Usually you don't like trusting random people on the internet, right? So next we have nists, which comes in 2011 and says the internet needs a public verifiable trusted randomness beacon system and It's funny because NIST is not the most trusted party out there, right? But they want to head and they launched their first NIST beacon in 2013 and the NIST beacon is based on a secure hardware so you have to trust the secure hardware NIST is using to produce the proper true randomness from Quantum entanglements, which is a cool way of producing randomness and then they publish it online with a signature You can verify the signature on everything. That's that's public verifiable randomness except it's generated by a single Trusted third party, which is not something we want, right? So When we look at previous attempts to generate public randomness we can see none of them are really great There was a paper about using Bitcoin to try and do it because why not? Promising but by calling it Bitcoin is super slow and it relies on proof-of-work, which is not something we really like nowadays, right? so Meh next in 2016 another paper came out which had a super cool technique to do Distributed randomness in a publicly verifiable way. So that sounds like the the way to go, right? Except it was super slow and it was using snore signatures Which one yeah, it was doing a bunch of really nice thing, but it was not so efficient So the question we had was can we do it in a simpler and faster way? And that's how we came up with the answer that yes we can and so the internet needed a randomness service That is just like the NTP servers you use to get the time on your device, right? That is public free and Available and so we came up with the notion of D run which stands for distributed randomness Which is a highly available decentralized and publicly verifiable source of randomness and we'll see how that works so The run is an open source software. You can download it on Github. You can check it. You can review it It was even audited so so far so good Next it is really meant to be run as a network of nodes. So you will have multiple nodes running the same software I mean you could reimplement it as well There is a spec but running the different stuff for Spec and then what it does is basically it relies on distributed key generation Which is a cool way of using verifiable secret sharing and threshold cryptography to generate a key that no single node ever sees or gets in memory But that every node in the network can agree is the right key and then it will use BLS so Benelene Shasham signature scheme on the BLS 12 381 pairing curve to do signatures and the funny thing with BLS signatures is that you can take Any number of BLS signatures and you can aggregate them into a single signature And so each node in the network is going to sign a value and that sign value means Nothing until you take them together aggregate them and get the aggregate signature Which can be verified to be coming from that group and the nice thing is you only need a threshold of nodes So if you have 20 nodes, you could say okay, my threshold is 10 and you generate during the distributed key generation Public key that will although any 10 nodes to generate a valid signature for the group those are called group signatures and we use the Signature as a way to produce randomness because a good signature cannot be distinguished from a random value So that's a rule for cryptographic signatures. If you have a good Signature scheme you cannot distinguish a signature from a random value. So we take The group signature from the group of nodes and that product give us a random value And that random value is generated in a decentralized way is unpredictable because it's in the indistinguishable from random It's resistant to bias and you can verify it was generated by that group of nodes since it's a signature so Yeah, we did it, right? And we actually did it so we launched in 2019 the League of Entropy which was a team of people who decided to run D-Rand under servers and you can try it out now on your browser You just or using curl or whatever you can just see it running for two or three years now and The League of Entropy was actually founded by Cloudflare, Kudalski security, protocol labs, a bunch of other companies which are running, you know Internet stuff and it's really meant to provide you with public verifiable randomness which is unbiased which is Unpredictable and that's highly available and it's been running like that with these 16 members with 23 nodes on a threshold of 12 So it means half of the nodes can get offline and you would still get proper randomness produced And it's been running like that. Oh, sorry since 2019 Which is pretty cool because it means we we did it, right? and A nice thing is also Cloudflare has a set of lava lamps in their offices They could use as a true random generator to bring fresh entropy into the network So we get all the benefits from on one side We get a set of nodes Where we don't need to trust a single node and the other side we get some nodes which are providing fresh True random values like the University of Chile is also part of the network and they use the Data from like seismic events in Chile to produce the randomness and so on so that's that's pretty nice and The nice thing also is different is that it's supporting So-called multi-protocol support since very recently we launched last week actually And that means we can expand the network to do more things that we couldn't be for like we could have a post quantum Algorithms running we could have a faster network because the current tick is like every 30 seconds so we could say oh, let's do every five seconds and These is ongoing and The other nice thing about the run is also that it used to be chained randomness Because we were looking at blockchain tech and all they did thing and we decided it was pretty cool to be able to you know chain all the beacons together and What we recently changed about the run is that instead of producing rounds that are linked to the previous Round which we need super difficult to verify because you need a stateful system and look at the previous round And it's a bit annoying, you know We decided we could just get rid of the chains and now we have like one round Which is fine and the next round which is fine and they are independent so you don't need the state anymore and Why am I talking about unchained randomness? You might be asking is because it's pretty interesting because it enabled us to do super cool things such as time-lock encryption and that's something that's upcoming We're currently developing it, but it basically says you can encrypt something toward the futures So let's say I want to encrypt something which cannot be decrypted until I say August I could use the trust assumption that we gave in the League of Entropy to produce proper randomness on time every 30 seconds until August and Thanks to the pairings and all the fun crypto we use behind the scene We can encrypt data that you can decrypt once the network will produce a signature So we are kind of using a signature as a secret key Yeah, you heard me but it actually works and nobody can decrypt the data until the given time has arrived as long as the network still runs obviously and This is pretty cool because it's something which was first It was an ID in the Cypher punk mailing list that was submitted by team May which is like the founder of this cyberpunk movement and the like crypto anarchists and That has been unsolved for 30 years and now we're bringing it live soon and Yeah, I'm looking forward to it So obviously it's cool to have a public randomness Service, but we need people to use it. So I'm here to tell you it exists We did it. We solved the issue of public verifiable Distributed randomness. It's highly available. It's been running for three years without a single description So, yeah, if you have any kind of cool project where you need to do I don't know a lottery or you need public run randomness Please use it and I'm here to also answer your questions and help you with that if you if you need and Finally, I know I'm talking to a lot of security professionals So you could go ahead and say oh we want to build our own public Network which is running Next to yours. That's cool. Do it. Please by any mean, but you could also say hey I want to join the cool League of Entropy thing because I got the server sitting in my house and I'm not using it So, please do as well. We were looking for new members It's not taking too much time to set up and then it it runs so, yeah, and With that I'm done So, thank you very much for listening about randomness and public randomness and you can send the questions on Slido