IT Security Outsourced IT

Randomness and Entropy

What are Randomness and Entropy?

Most modern encryption relies on randomly generated keys. Random numbers are used in many places within the realm of information technology, and they are also used in other fields, such as in the sciences. In mathematical statistics, randomness has been defined as, “of or relating to a type of circumstance or event that is described by a probability distribution.”1 The mathematical definition most commonly shown by the Kolmogorov-Chaitlin complexity defines a random string as one which has no shorter description than the string itself.2 If a large string exists and cannot be compressed it is said to be random. However, sequences of numbers created through mathematical algorithms cannot truly be random, though some random data has been proved through the use of mathematics and statistics to assume properties of being random or, at some point, showing some discernible pattern; these levels of mechanical statistics are referred to as entropy.

Entropy has been defined through communication theory as, “the numerical measure of the uncertainty of an outcome, utilizing statistical probability.”2 Entropy can be understood as a measure of possible patterns present within random data. Entropy in cybersecurity can be understood as the measure of randomness or diversity of the binary numbers collected by an operating system or application for use in generating cryptographic keys. As entropy grows in quality and quantity, cryptographic keys generated from it will be increasingly difficult to guess, which improves the level of encryption.

Entropy as a Service (EaaS) is an internet service designed to provide high-quality entropy to IoT devices, embedded systems, and cloud providers. These entropy sources are based on physical processes of ring oscillators or quantum devices that can provide true randomness. NIST offers a secure method of providing seeds for random number generators (RNGs) that are built into devices and applications.3 NIST recommends that developers configure their applications and devices to send HTTP GET requests for the necessary number of bytes of random data to an EaaS server and receive freshly generated random data using a related EaaS protocol. According to NIST, an EaaS system should have the following components:

  • A quantum entropy device
  • An EaaS server
  • A hardware root of trust device in the client’s system

An EaaS server doesn’t provide cryptographic keys to its clients; it securely supplies clients RNGs with unique seeds. NIST recommends seeding applications with responses from multiple EaaS servers. EaaS architecture is scalable and can include thousands of EaaS servers across the world, which is important for establishing collective authority and keeping the architecture open and viewable by experts. To ensure further increase security, developers can mix random data obtained from an EaaS server with locally-produced pseudo-random data (using hashing) or with data received from another EaaS server.

1 Research Solutions and Resources, 2001, “Chi-Squared Theory”

2 Thorn, 2021, “Randomness and Entropy- An Introduction”

3 Vassilev & Staples, 2016, “Entropy as a Service: Unlocking Cryptography’s Full Potential”