Connect with us

Hi, what are you looking for?


Application Security

Cloudflare Joins the League of Entropy

Internet security firm Cloudflare this week revealed its participation in “League of Entropy,” a worldwide effort of individuals and academic institutions to bring users a quorum of decentralized randomness beacons. 

Internet security firm Cloudflare this week revealed its participation in “League of Entropy,” a worldwide effort of individuals and academic institutions to bring users a quorum of decentralized randomness beacons. 

Building on the Randomness Beacons project at NIST, League of Entropy is a network of beacons designed to produce distributed, publicly verifiable random outputs. These can then be used in applications where the nature of the randomness must be publicly audited.

Randomness beacons are servers designed to generate completely unpredictable 512-bit strings (about 155-digit numbers) at regular intervals, and the idea behind them emerged from the need for constant generation of substantially large, unpredictable numbers.

Random numbers have a broad range of uses, from lottery to competitions, elections, and cryptographic computations, and can affect the lives of millions of people, which makes it imperative to ensure they are difficult or impossible to predict. 

League of Entropy“You might think using a randomness beacon for random generation processes, such as those needed for lottery selection, would make the process resilient against adversarial manipulation, but that’s not the case. Single-source randomness has been exploited to generate biased results,” Cloudflare’s Dina Kozlov explains

This is where League of Entropy, which is based on the drand project, steps in, in an effort to eliminate the possible exploitation of single point of origin of beacons by offering eight independent globally distributed beacons instead. 

Drand ensures that the distributed randomness generation completes successfully with high probability, that the output is not predictable, that the random output represents an unbiased, uniformly random value, except with negligible probability, and that the output is third-party verifiable against the collective public key computed during drand’s setup. 

With the unpredictable nature of a number measured by entropy, an increased level of entropy is needed to ensure the randomness of generated numbers, and this is where the League of Entropy draws its name from. 

Advertisement. Scroll to continue reading.

Each of the founding members contributes with their individual high-entropy sources to provide a more random and unpredictable beacon for the generation of publicly verifiable random values every sixty seconds. The beacon is decentralized and built using appropriate, provably-secure cryptographic primitives, Cloudflare notes. 

“This global network of servers generating randomness ensures that even if a few servers are offline, the beacon continues to produce new numbers by using the remaining online servers. Even if one or two of the servers or their entropy sources were to be compromised, the rest will still ensure that the jointly-produced entropy is fully unpredictable and unbiasable,” Kozlov continues.

The League of Entropy currently includes Cloudflare, Protocol Labs researcher Nicolas Gailly, University of Chile, École polytechnique fédérale de Lausanne  (EPFL), Kudelski Security, and EPFL researchers, Philipp Jovanovic and Ludovic Barman.

Related: Cloudflare Launches New HTTPS Interception Detection Tools

Related: Cloudflare Raises $150 Million

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...