Cloudflare uses lava lamps as a random number generator
fastcodesign.comI'm now looking forward to a future article from security researchers:
"Prediction of a random stream from a lava lamp model constructed from entropic data inferred from encrypted packets"
So they created a giant side-channel by putting their entropy-source next to a public window?
I'm guessing they use this alongside CSPRNGs. Would make sense given the theorem that states any random number XORed with even highly-ordered input maintains its entropy.
There are lots of people in the crypto world who have serious issues with XORing random sources together.
I haven't yet seen a good argument why it's a bad idea, and part of me thinks it might be a way to get more software using "rdrand" or other insecure sources unmodified.
I think the bad idea stigma stems from people XORing from the same source. That totally is a bad idea, but if two sources are wholly independent, the maximum entropy in the combined systems is maintained.
To the people that just say it's never a good idea and scoff at any reasoning I'd remind them about OTPs. They are a special case related to this principle of XORing two independent sources together where only one input is random and it is proven mathematically to work.
Pretty sure an attacker would have to observe the array from the same point of perspective as the camera to mount a successful side channel attack.
don't forget the room heating. I'm sure a wall of of 25-100w incandescents can get pretty toasty.
very green.
I would use plasma spheres (e.g. [0], but there are lots of them out there). A single plasma sphere generates a visual display that changes much faster and is much less predictable moment-to-moment than a lava lamp -- so you wouldn't need nearly so many of them -- and uses much less power into the bargain.
[0] https://www.scientificsonline.com/product/nebula-plasma-ball
Is this a perfect rng at the current state of technology? If not, why and are there currently perfect ones. What would an rng require to be perfect?
Nothing new here, move along.
This was first done by SGI ages ago...
joe
Article+Cloudflare acknowledges this (although they credit Sun not SGI)