random number generators

TheInfoList

Random number generation is a process by which, often by means of a random number generator (RNG), a sequence of
number A number is a mathematical object A mathematical object is an abstract concept arising in mathematics. In the usual language of mathematics, an ''object'' is anything that has been (or could be) formally defined, and with which one may do deduct ...

s or
symbol A symbol is a mark, sign, or that indicates, signifies, or is understood as representing an , , or . Symbols allow people to go beyond what is n or seen by creating linkages between otherwise very different s and s. All (and ) is achieved th ...

s that cannot be reasonably predicted better than by
random In common parlance, randomness is the apparent or actual lack of pattern or predictability in events. A random sequence of events, symbols or steps often has no :wikt:order, order and does not follow an intelligible pattern or combination. I ...

chance is generated. This means that the particular outcome sequence will contain some patterns detectable in hindsight but unpredictable to foresight. True random number generators can be '' hardware random-number generators'' (HRNGS) that generate random numbers, wherein each generation is a function of the current value of a physical environment's attribute that is constantly changing in a manner that is practically impossible to model. This would be in contrast to so-called "random number generations" done by ''
pseudorandom number generator A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm In and , an algorithm () is a finite sequence of , computer-implementable instructions, typically to solve a class of proble ...
s'' (PRNGs) that generate numbers that only look random but are in fact pre-determined—these generations can be reproduced simply by knowing the state of the PRNG. Various
applications of randomness Randomness In common parlance, randomness is the apparent or actual lack of pattern A pattern is a regularity in the world, in human-made design, or in abstract ideas. As such, the elements of a pattern repeat in a predictable manner. A ...
have led to the development of several different methods for generating
random In common parlance, randomness is the apparent or actual lack of pattern or predictability in events. A random sequence of events, symbols or steps often has no :wikt:order, order and does not follow an intelligible pattern or combination. I ...
data. Some of these have existed since ancient times, among whose ranks are well-known "classic" examples, including the rolling of
dice Dice (singular die or dice) are small, throwable objects with marked sides that can rest in multiple positions. They are used for generating Statistical randomness, random numbers, commonly as part of tabletop games, including List of dice game ...

,
coin flipping Coin flipping, coin tossing, or heads or tails is the practice of throwing a coin A coin is a small, flat, (usually, depending on the country or value) round piece of metal A metal (from Ancient Greek, Greek μέταλλον ''métallon'' ...

, the
shuffling Shuffling is a procedure used to randomization, randomize a deck of playing cards to provide an element of chance in card games. Shuffling is often followed by a cut (cards), cut, to help ensure that the shuffler has not manipulated the outcome. ...
of
playing card A playing card is a piece of specially prepared , heavy paper, thin cardboard, , cotton-paper blend, or thin plastic that is marked with distinguishing motifs. Often the front (face) and back of each card has a to make handling easier. They ar ...
s, the use of
yarrow ''Achillea millefolium'', commonly known as yarrow () or common yarrow, is a flowering plant The flowering plants, also known as Angiospermae (), or Magnoliophyta (), are the most diverse group of Embryophyte, land plants, with 64 Order(biolo ...

stalks (for
divination Divination (from Latin ''divinare'', 'to foresee, to foretell, to predict, to prophesy') is the attempt to gain insight into a question or situation by way of an occult The occult, in the broadest sense, is a category of supernatural The ...

) in the
I Ching The ''I Ching'' or ''Yi Jing'' (, ), usually translated as ''Book of Changes'' or ''Classic of Changes'', is an ancient Chinese divination text and among the oldest of the Chinese classics. Originally a divination manual in the Western Zhou ...
, as well as countless other techniques. Because of the mechanical nature of these techniques, generating large quantities of sufficiently random numbers (important in statistics) required much work and time. Thus, results would sometimes be collected and distributed as
random number table Random number tables have been used in statistics Statistics is the discipline that concerns the collection, organization, analysis, interpretation, and presentation of data. In applying statistics to a scientific, industrial, or social probl ...
s. Several computational methods for pseudorandom number generation exist. All fall short of the goal of true randomness, although they may meet, with varying success, some of the statistical tests for randomness intended to measure how unpredictable their results are (that is, to what degree their patterns are discernible). This generally makes them unusable for applications such as
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia ''-logy'' is a suffix In linguistics Linguistics is the science, scientific study of language. It encompa ...

. However, carefully designed ''cryptographically secure pseudorandom number generators'' (CSPRNGS) also exist, with special features specifically designed for use in cryptography.

# Practical applications and uses

Random number generators have applications in
gambling Gambling (also known as betting) is the wagering something of ("the stakes") on an with an uncertain outcome with the intent of winning something else of value. Gambling thus requires three elements to be present: (an amount wagered), (cha ...
,
statistical sampling In statistics Statistics is the discipline that concerns the collection, organization, analysis, interpretation, and presentation of data. In applying statistics to a scientific, industrial, or social problem, it is conventional to begin w ...
, computer simulation,
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia ''-logy'' is a suffix In linguistics Linguistics is the science, scientific study of language. It encompa ...

, completely randomized design, and other areas where producing an unpredictable result is desirable. Generally, in applications having unpredictability as the paramount feature, such as in security applications, Hardware random number generator, hardware generators are generally preferred over pseudorandom algorithms, where feasible. Pseudorandom number generators are very useful in developing Monte Carlo method, Monte Carlo-method simulations, as debugging is facilitated by the ability to run the same sequence of random numbers again by starting from the same ''random seed''. They are also used in cryptography – so long as the ''seed'' is secret. Sender and receiver can generate the same set of numbers automatically to use as keys. The generation of pseudorandom numbers is an important and common task in computer programming. While cryptography and certain numerical algorithms require a very high degree of ''apparent'' randomness, many other operations only need a modest amount of unpredictability. Some simple examples might be presenting a user with a "random quote of the day", or determining which way a computer-controlled adversary might move in a computer game. Weaker forms of ''randomness'' are used in hash algorithms and in creating amortization, amortized search algorithm, searching and sorting algorithms. Some applications which appear at first sight to be suitable for randomization are in fact not quite so simple. For instance, a system that "randomly" selects music tracks for a background music system must only ''appear'' random, and may even have ways to control the selection of music: a true random system would have no restriction on the same item appearing two or three times in succession.

# "True" vs. pseudo-random numbers

There are two principal methods used to generate random numbers. The first method measures some physical phenomenon that is expected to be random and then compensates for possible biases in the measurement process. Example sources include measuring atmospheric noise, thermal noise, and other external electromagnetic and quantum phenomena. For example, cosmic background radiation or radioactive decay as measured over short timescales represent sources of natural Entropy (information theory), entropy. The speed at which entropy can be harvested from natural sources is dependent on the underlying physical phenomena being measured. Thus, sources of naturally occurring "true" entropy are said to be blocking (computing), blocking they are rate-limited until enough entropy is harvested to meet the demand. On some Unix-like systems, including most Linux distributions, the pseudo device file will block until sufficient entropy is harvested from the environment. Due to this blocking behavior, large bulk reads from , such as filling a hard disk drive with random bits, can often be slow on systems that use this type of entropy source. The second method uses computational algorithms that can produce long sequences of apparently random results, which are in fact completely determined by a shorter initial value, known as a seed value or key (cryptography), key. As a result, the entire seemingly random sequence can be reproduced if the seed value is known. This type of random number generator is often called a
pseudorandom number generator A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm In and , an algorithm () is a finite sequence of , computer-implementable instructions, typically to solve a class of proble ...
. This type of generator typically does not rely on sources of naturally occurring entropy, though it may be periodically seeded by natural sources. This generator type is non-blocking, so they are not rate-limited by an external event, making large bulk reads a possibility. Some systems take a hybrid approach, providing randomness harvested from natural sources when available, and falling back to periodically re-seeded software-based cryptographically secure pseudorandom number generators (CSPRNGs). The fallback occurs when the desired read rate of randomness exceeds the ability of the natural harvesting approach to keep up with the demand. This approach avoids the rate-limited blocking behavior of random number generators based on slower and purely environmental methods. While a pseudorandom number generator based solely on deterministic logic can never be regarded as a "true" random number source in the purest sense of the word, in practice they are generally sufficient even for demanding security-critical applications. Carefully designed and implemented pseudorandom number generators can be certified for security-critical cryptographic purposes, as is the case with the yarrow algorithm and fortuna (PRNG), fortuna. The former is the basis of the source of entropy on FreeBSD, AIX, OS X, NetBSD, and others. OpenBSD uses a pseudorandom number algorithm known as RC4#RC4-based random number generators, arc4random.

# Generation methods

## Physical methods

The earliest methods for generating random numbers, such as dice, coin flipping and roulette wheels, are still used today, mainly in games and gambling as they tend to be too slow for most applications in statistics and cryptography. A physical random number generator can be based on an essentially random atomic or subatomic physical phenomenon whose unpredictability can be traced to the laws of quantum mechanics. Sources of entropy (information theory), entropy include radioactive decay, Johnson–Nyquist noise, thermal noise, shot noise, avalanche noise in Zener diodes, clock drift#Random number generators, clock drift, the timing of actual movements of a hard disk read-write head, and Noise (radio), radio noise. However, physical phenomena and tools used to measure them generally feature asymmetries and systematic biases that make their outcomes not uniformly random. A randomness extractor, such as a cryptographic hash function, can be used to approach a uniform distribution of bits from a non-uniformly random source, though at a lower bit rate. The appearance of wideband photonic entropy sources, such as optical chaos and amplified spontaneous emission noise, greatly aid the development of the physical random number generator. Among them, optical chaos has a high potential to physically produce high-speed random numbers due to its high bandwidth and large amplitude. A prototype of a high speed, real-time physical random bit generator based on a chaotic laser was built in 2013. Various imaginative ways of collecting this entropic information have been devised. One technique is to run a hash function against a frame of a video stream from an unpredictable source. Lavarand used this technique with images of a number of lava lamps
HotBits
measures radioactive decay with Geiger–Muller tubes, while Random.org uses variations in the amplitude of atmospheric noise recorded with a normal radio. Another common entropy source is the behavior of human users of the system. While people are not considered good randomness generators upon request, they generate random behavior quite well in the context of playing mixed strategy games. Some security-related computer software requires the user to make a lengthy series of mouse movements or keyboard inputs to create sufficient entropy needed to generate random key (cryptography), keys or to initialize pseudorandom number generators.

## Computational methods

Most computer generated random numbers use PRNGs which are algorithms that can automatically create long runs of numbers with good random properties but eventually the sequence repeats (or the memory usage grows without bound). These random numbers are fine in many situations but are not as random as numbers generated from electromagnetic atmospheric noise used as a source of entropy. The series of values generated by such algorithms is generally determined by a fixed number called a seed. One of the most common Pseudorandom number generator, PRNG is the linear congruential generator, which uses the recurrence :$X_ = \left(a X_n + b\right)\, \textrm\, m$ to generate numbers, where , and are large integers, and $X_$ is the next in as a series of pseudorandom numbers. The maximum number of numbers the formula can produce is one less than the Modulus (algebraic number theory), modulus, -1. The recurrence relation can be extended to matrices to have much longer periods and better statistical properties . To avoid certain non-random properties of a single linear congruential generator, several such random number generators with slightly different values of the multiplier coefficient, , can be used in parallel, with a "master" random number generator that selects from among the several different generators. A simple pen-and-paper method for generating random numbers is the so-called middle square method suggested by John von Neumann. While simple to implement, its output is of poor quality. It has a very short period and severe weaknesses, such as the output sequence almost always converging to zero. A recent innovation is to combine the middle square with a Weyl sequence. This method produces high quality output through a long period. Most computer programming languages include functions or library routines that provide random number generators. They are often designed to provide a random byte or word, or a floating point number Uniform distribution (continuous), uniformly distributed between 0 and 1. The quality i.e. randomness of such library functions varies widely from completely predictable output, to cryptographically secure. The default random number generator in many languages, including Python, Ruby, R, IDL and PHP is based on the Mersenne Twister algorithm and is ''not'' sufficient for cryptography purposes, as is explicitly stated in the language documentation. Such library functions often have poor statistical properties and some will repeat patterns after only tens of thousands of trials. They are often initialized using a computer's real time clock as the seed, since such a clock generally measures in milliseconds, far beyond the person's Accuracy and precision, precision. These functions may provide enough randomness for certain tasks (for example video games) but are unsuitable where high-quality randomness is required, such as in cryptography applications, statistics or numerical analysis. Much higher quality random number sources are available on most operating systems; for example /dev/random on various BSD flavors, Linux, Mac OS X, IRIX, and Solaris, or CryptGenRandom for Microsoft Windows. Most programming languages, including those mentioned above, provide a means to access these higher quality sources.

## By humans

Random number generation may also be performed by humans, in the form of collecting various inputs from end users and using them as a randomization source. However, most studies find that human subjects have some degree of non-randomness when attempting to produce a random sequence of e.g. digits or letters. They may alternate too much between choices when compared to a good random generator; thus, this approach is not widely used.

# Post-processing and statistical checks

Even given a source of plausible random numbers (perhaps from a quantum mechanically based hardware generator), obtaining numbers which are completely unbiased takes care. In addition, behavior of these generators often changes with temperature, power supply voltage, the age of the device, or other outside interference. And a software bug in a pseudorandom number routine, or a hardware bug in the hardware it runs on, may be similarly difficult to detect. Generated random numbers are sometimes subjected to statistical tests before use to ensure that the underlying source is still working, and then post-processed to improve their statistical properties. An example would be the TRNG9803 hardware random number generator, which uses an entropy measurement as a hardware test, and then post-processes the random sequence with a shift register stream cipher. It is generally hard to use statistical tests to validate the generated random numbers. Wang and Nicol proposed a distance-based statistical testing technique that is used to identify the weaknesses of several random generators. Li and Wang proposed a method of testing random numbers based on laser chaotic entropy sources using Brownian motion properties.

# Other considerations

## Reshaping the distribution

### Uniform distributions

Most random number generators natively work with integers or individual bits, so an extra step is required to arrive at the "canonical" uniform distribution between 0 and 1. The implementation is not as trivial as dividing the integer by its maximum possible value. Specifically: # The integer used in the transformation must provide enough bits for the intended precision. # The nature of floating-point math itself means there exists more precision the closer the number is to zero. This extra precision is usually not used due to the sheer number of bits required. # Rounding error in division may bias the result. At worst, a supposedly excluded bound may be drawn countrary to expectations based on real-number math. The mainstream algorithm, used by OpenJDK, Rust, and Numpy, is described in a proposal for C++'s STL. It does not use the extra precision and suffers from bias only in the last bit due to round-to-even. Other numeric concerns are warranted when shifting this "canonical" uniform distribution to a different range. A proposed method for the Swift programming language claims to use the full precision everywhere. Uniformly distributed integers are commonly used in algorithms such as the Fisher–Yates shuffle. Again, a naive implementation may induce a modulo bias into the result, so more involved algorithms must be used. A method that nearly never performs division was described in 2018 by Daniel Lemire, with the current state-of-the-art being the arithmetic encoding-inspired 2021 "optimal algorithm" by Stephen Canon of Apple Inc. Most 0 to 1 RNGs include 0 but exclude 1, while others include or exclude both.

### Other distributions

Given a source of uniform random numbers, there are a couple of methods to create a new random source that corresponds to a probability density function. One method, called the Inverse transform sampling, inversion method, involves integrating up to an area greater than or equal to the random number (which should be generated between 0 and 1 for proper distributions). A second method, called the Rejection sampling, acceptance-rejection method, involves choosing an x and y value and testing whether the function of x is greater than the y value. If it is, the x value is accepted. Otherwise, the x value is rejected and the algorithm tries again.
-> As an example for rejection sampling, to generate a pair of Statistical independence, statistically independent Normal distribution, standard normally distributed random numbers (''x'', ''y''), one may first generate the polar coordinates (''r'', ''θ''), where ''r''2~Chi-squared distribution, χ22 and ''θ''~Uniform distribution (continuous), UNIFORM(0,2π) (see Box–Muller transform).

## Whitening

The outputs of multiple independent RNGs can be combined (for example, using a bit-wise XOR operation) to provide a combined RNG at least as good as the best RNG used. This is referred to as Hardware random number generator#Software whitening, software whitening. Computational and hardware random number generators are sometimes combined to reflect the benefits of both kinds. Computational random number generators can typically generate pseudorandom numbers much faster than physical generators, while physical generators can generate "true randomness."

# Low-discrepancy sequences as an alternative

Some computations making use of a random number generator can be summarized as the computation of a total or average value, such as the computation of integrals by the Monte Carlo method. For such problems, it may be possible to find a more accurate solution by the use of so-called low-discrepancy sequences, also called quasirandom numbers. Such sequences have a definite pattern that fills in gaps evenly, qualitatively speaking; a truly random sequence may, and usually does, leave larger gaps.

# Activities and demonstrations

The following sites make available random number samples: * The SOCR resource pages contain a number of hands-on interactive activities and demonstrations of random number generation using Java applets. * The Quantum Optics Group at the ANU generates random numbers sourced from quantum vacuum. Sample of random numbers are available at their quantum random number generator research page. * Random.org makes available random numbers that are sourced from the randomness of atmospheric noise. * The Quantum Random Bit Generator Service at the Ruđer Bošković Institute harvests randomness from the quantum process of photonic emission in semiconductors. They supply a variety of ways of fetching the data, including libraries for several programming languages. * The Group at the Taiyuan University of Technology generates random numbers sourced from a chaotic laser. Samples of random number are available at their Physical Random Number Generator Service.

# Backdoors

Since much cryptography depends on a cryptographically secure random number generator for key and cryptographic nonce generation, if a random number generator can be made predictable, it can be used as backdoor (computing), backdoor by an attacker to break the encryption. The NSA is reported to have inserted a backdoor into the National Institute of Standards and Technology, NIST certified cryptographically secure pseudorandom number generator Dual EC DRBG. If for example an SSL connection is created using this random number generator, then according to Matthew Green (cryptographer), Matthew Green it would allow NSA to determine the state of the random number generator, and thereby eventually be able to read all data sent over the SSL connection. Even though it was apparent that Dual_EC_DRBG was a very poor and possibly backdoored pseudorandom number generator long before the NSA backdoor was confirmed in 2013, it had seen significant usage in practice until 2013, for example by the prominent security company RSA Security. There have subsequently been accusations that RSA Security knowingly inserted a NSA backdoor into its products, possibly as part of the Bullrun (decryption program), Bullrun program. RSA has denied knowingly inserting a backdoor into its products. It has also been theorized that hardware RNGs could be secretly modified to have less entropy than stated, which would make encryption using the hardware RNG susceptible to attack. One such method which has been published works by modifying the dopant mask of the chip, which would be undetectable to optical reverse-engineering. For example, for random number generation in Linux, it is seen as unacceptable to use Intel's RDRAND hardware RNG without mixing in the RDRAND output with other sources of entropy to counteract any backdoors in the hardware RNG, especially after the revelation of the NSA Bullrun program. In 2010, Hot Lotto fraud scandal, a U.S. lottery draw was rigged by the information security director of the Multi-State Lottery Association (MUSL), who surreptitiously installed backdoor malware on the MUSL's secure RNG computer during routine maintenance. During the hacks the man won a total amount of \$16,500,000 by predicting the numbers correctly a few times in year. Address space layout randomization (ASLR), a mitigation against rowhammer and related attacks on the physical hardware of memory chips has been found to be inadequate as of early 2017 by VUSec. The random number algorithm, if based on a shift register implemented in hardware, is predictable at sufficiently large values of p and can be reverse engineered with enough processing power (Brute-force attack, Brute Force Hack). This also indirectly means that malware using this method can run on both GPUs and CPUs if coded to do so, even using GPU to break ASLR on the CPU itself.

* Flipism * League of entropy * List of random number generators * PP (complexity) * Procedural generation * Randomized algorithm * Random password generator * Random variable, contains a chance-dependent value

# References

* * * * *
NIST SP800-90A, B, C series on random number generation
*

Random Number Generator
by GoOnlineTools
RANDOM.ORG
True Random Number Service
Quantum random number generator
at ANU *
jRand
a Java-based framework for the generation of simulation sequences, including pseudorandom sequences of numbers

Randomness Beacon
at NIST, broadcasting full-entropy bit-strings in blocks of 512 bits every 60 seconds. Designed to provide unpredictability, autonomy, and consistency.
A system call for random numbers: getrandom()
a LWN.net article describing a dedicated Linux system call
Statistical Properties of Pseudo Random Sequences and Experiments with PHP and Debian OpenSSL

Random Sequence Generator based on Avalanche Noise
{{Authority control Random number generation, Information theory