Random number generator: Difference between revisions
imported>Sandy Harris No edit summary |
imported>Howard C. Berkowitz (Emphasized the article is first about random numbers, with the method of generation being a decision following problem definition) |
||
| Line 5: | Line 5: | ||
| date = Second Edition, 1996 | | date = Second Edition, 1996 | ||
| publisher = John Wiley & Sons | | publisher = John Wiley & Sons | ||
}} p. 46 </ref> | }} p. 46 </ref> This article focuses first on the idea of randomness, rather than on how the random or pseudo-random sequence is produced. For properly selected applications, it may be possible to be adequately random with a technique that does not depend on a true random physical process. In other cases, it may be practical to use a combination of physical and computational methods. | ||
" | {{quotation|Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult.|IETF Best Current Practice 106<ref name=RFC4086>{{citation | ||
| id = RFC 4086; IETF Best Current Practice 106 | |||
| title = Randomness Requirements for Security | |||
| first1 = D. 3rd | last1 = Eastlake | first2 = J. |last2 = Schiller | first3 = S. | last3 = Crocker | |||
| date = June 2005 | |||
| url = http://www.ietf.org/rfc/rfc4086.txt}} p. 1</ref>}} | |||
A truly random one-time pad ''may'' be generated with a combination of measurement of a random physical phenomenon (e.g., thermal noise or radioactive disintegrations), which is then captured by a computer and put into high-density storage. An expert in the physical phenomenon being measured. The measurement may be self-similar in a way that can be exploited statistically; see [[fractal]] for a specific type of self-similarity. | |||
There are a wide range of applications for random or pseudo-random numbers, with various degrees of randomness. A computer game can give an apparently different scenario whenever played, with some simple fairly random physical inputs, such as selected bits from the computer's time of day clock, and, perhaps, the time between the last several keystrokes or mouse movements. In other cases, such as extremely critical [[cryptography]], only the best uncorrelated physical random sequences will do. See [[#Random number/related articles| related articles]] for examples of applications. | |||
==Random sequences from physical phenomena== | |||
Real-world physical phenomena often exhibit randomness, although some it is possible to be random in the short term, yet may exhibit some unexpected patterns or self-similarity. The number of cosmic rays striking an object at a given second is as random a process as is known. The number of disintegration events, in a radioactive material, is often considered random, but consider that if the amount of radioisotope is finite, as more and more half-lives pass, there will be fewer disintegrations. There is no simple answer to the question of whether a downward trend in disintegrations makes that sequence nonrandom. "Many natural sources of random bits may be defective in that they produce biased output bits (so that the probability of a one is different than the probability of a zero), or bits which are correlated with each | |||
other." <ref name=Goldwasser2008>{{citation | other." <ref name=Goldwasser2008>{{citation | ||
| contribution = Chapter 3, Pseudo-random bit generators | | contribution = Chapter 3, Pseudo-random bit generators | ||
| Line 13: | Line 23: | ||
| title = Lecture Notes on Cryptography | | title = Lecture Notes on Cryptography | ||
| first1=Shafi | last1 = Goldwasser | first2 = Mihir | last2 = Bellare | | first1=Shafi | last1 = Goldwasser | first2 = Mihir | last2 = Bellare | ||
| date = July 2008}} p. 39 </ref> | | date = July 2008}} p. 39 </ref> | ||
There are, however, methods that can be used to postprocess such a source to remove the correlation. | |||
==Manual generation== | |||
In the past, one-time pads were generated by typists who were told to type randomly, but, in practice, had patterns. Limited to manual methods, a not-unreasonable way is to put numbered balls in a bowl, having a blindfolded person take it out, the number recorded, the ball returned to the bowl, and the bowl shaken thorougly before taking the next ball. | |||
This is a point mostly of historical interest, but typist patterns did cause weakness in some [[one-time pad]]s. It is hard to imagine why manual generation would be useful today. | |||
==Pseudorandom number generators== | ==Pseudorandom number generators== | ||
In practical computing, it is convenient to use a '''pseudorandom number generator (PRNG)''', which produces a sufficiently varying sequence that, for example, a computer game driven with that generator appears to produce different characteristics each time that it is played. Nevertheless, most PRNGs that are operating system utilities, such as UNIX <code>random()</code>, will eventually repeat the sequence over a sufficiently long period of time. In addition, the programmer may have the choice of giving an explicit initialization value, which may be called a '''seed''' or a '''nonce''', to the PRNG. | In practical computing, it is convenient to use a '''pseudorandom number generator (PRNG)''', which produces a sufficiently varying sequence that, for example, a computer game driven with that generator appears to produce different characteristics each time that it is played. Nevertheless, most PRNGs that are operating system utilities, such as UNIX <code>random()</code>, will eventually repeat the sequence over a sufficiently long period of time. In addition, the programmer may have the choice of giving an explicit initialization value, which may be called a '''seed''' or a '''nonce''', to the PRNG. | ||
| Line 33: | Line 44: | ||
It is possible to write very good and very bad pseudorandom number generators. Known pitfalls need to be avoided, both in initialization and in computing the next number. | It is possible to write very good and very bad pseudorandom number generators. Known pitfalls need to be avoided, both in initialization and in computing the next number. | ||
===Known bad ideas=== | ===Known bad ideas=== | ||
===Some PRNGs=== | ===Some PRNGs=== | ||
| Line 51: | Line 49: | ||
Knuth illustrates the most commonly used PRNG, which he attributes to D.H. Lehmer in 1949<ref>Knuth, p. 10</ref> | Knuth illustrates the most commonly used PRNG, which he attributes to D.H. Lehmer in 1949<ref>Knuth, p. 10</ref> | ||
====OFB and CTR Sequences==== | ====OFB and CTR Sequences==== | ||
Encryption devices can be used as practical and strong PRNGs, if the output applies some type of masking so an adversary cannot know the full internal state of the genertor.<ref>Eastlake | Encryption devices can be used as practical and strong PRNGs, if the output applies some type of masking so an adversary cannot know the full internal state of the genertor.<ref> Eastlake ''et al.'' p. 24</ref> | ||
====Blum Blum Shub==== | ====Blum Blum Shub==== | ||
This is the strongest known generator, with the advantage of relative simplicity, but the disadvantage of being computationally intensive. If it is used to generate numbers hatht are not needed frequently, it may be useful.<ref>Eastlake, p. 25</ref> <ref>Goldwasser & Ballare, p. 47</ref> | This is the strongest known generator, with the advantage of relative simplicity, but the disadvantage of being computationally intensive. If it is used to generate numbers hatht are not needed frequently, it may be useful.<ref>Eastlake, p. 25</ref> <ref>Goldwasser & Ballare, p. 47</ref> | ||
| Line 57: | Line 55: | ||
The possibility also exists that one or more processors could be dedicated to BBS computation. | The possibility also exists that one or more processors could be dedicated to BBS computation. | ||
===The possibility of pseudo-random methods that are adequately random=== | ===The possibility of pseudo-random methods that are adequately random=== | ||
Some research indicates that in carefully selected situations, a pseudo-random number generator, which meets a number of cryptographic criteria, may be adequately random for security. The proofs are complex and not universally accepted, but may be true for a useful number of situations.<ref>Eastlake ''et al.'' | Some research indicates that in carefully selected situations, a pseudo-random number generator, which meets a number of cryptographic criteria, may be adequately random for security. The proofs are complex and not universally accepted, but may be true for a useful number of situations.<ref>Eastlake ''et al.'', pp. 23-27</ref> <ref name=Goldwasser2008>{{citation | ||
| contribution = Chapter 3, Pseudo-random bit generators | | contribution = Chapter 3, Pseudo-random bit generators | ||
| url = http://www.cs.ucsd.edu/~mihir/papers/gb.pdf | | url = http://www.cs.ucsd.edu/~mihir/papers/gb.pdf | ||
| Line 63: | Line 61: | ||
| first1=Shafi | last1 = Goldwasser | first2 = Mihir | last2 = Bellare | | first1=Shafi | last1 = Goldwasser | first2 = Mihir | last2 = Bellare | ||
| date = July 2008}}</ref> | | date = July 2008}}</ref> | ||
==Random numbers that follow particular statistical distributions== | |||
In many applications, the exact sequence is desired to be as random as possible, but the sequence may be under additional constraints to meet specific statistical requirements. | |||
See [[normal distribution#Generating values for normal random variables|generating values for normal random variables]] for an example of generating random numbers that fit a desired distribution. | |||
==Testing for Randomness== | ==Testing for Randomness== | ||
Knuth presents an extensive range of tests, of which a few are mentioned here. | It is entirely reasonable to have individual numbers recur in a random sequence — a random sequence may even have a "run" of a number such as 100 354 972 972 972 155 579. Indeed, when typists have been asked to type randomly, they may intuitively avoid runs and produce a less random sequence. | ||
Knuth presents an extensive range of tests, of which a few are mentioned here. It is entirely reasonable to have individual numbers recur in a random sequence — a random sequence may even have a "run" of a number such as 100 354 972 972 972 155 579. Indeed, when typists have been asked to type randomly, they may intuitively avoid runs and produce a less random sequence.It is entirely reasonable to have individual numbers recur in a random sequence — a random sequence may even have a "run" of a number such as 100 354 972 972 972 155 579. Indeed, when typists have been asked to type randomly, they may intuitively avoid runs and produce a less random sequence. | |||
===Chi-squared statistic=== | ===Chi-squared statistic=== | ||
===Frequency test=== | ===Frequency test=== | ||
Revision as of 19:33, 3 August 2008
While defining true randomness can drift from computer science and mathematics into philosophy, Bruce Schneier has a reasonable criterion for a source of random numbers: "It cannot be reliably reproduced."[1] This article focuses first on the idea of randomness, rather than on how the random or pseudo-random sequence is produced. For properly selected applications, it may be possible to be adequately random with a technique that does not depend on a true random physical process. In other cases, it may be practical to use a combination of physical and computational methods.
Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult. — IETF Best Current Practice 106[2]
A truly random one-time pad may be generated with a combination of measurement of a random physical phenomenon (e.g., thermal noise or radioactive disintegrations), which is then captured by a computer and put into high-density storage. An expert in the physical phenomenon being measured. The measurement may be self-similar in a way that can be exploited statistically; see fractal for a specific type of self-similarity.
There are a wide range of applications for random or pseudo-random numbers, with various degrees of randomness. A computer game can give an apparently different scenario whenever played, with some simple fairly random physical inputs, such as selected bits from the computer's time of day clock, and, perhaps, the time between the last several keystrokes or mouse movements. In other cases, such as extremely critical cryptography, only the best uncorrelated physical random sequences will do. See related articles for examples of applications.
Random sequences from physical phenomena
Real-world physical phenomena often exhibit randomness, although some it is possible to be random in the short term, yet may exhibit some unexpected patterns or self-similarity. The number of cosmic rays striking an object at a given second is as random a process as is known. The number of disintegration events, in a radioactive material, is often considered random, but consider that if the amount of radioisotope is finite, as more and more half-lives pass, there will be fewer disintegrations. There is no simple answer to the question of whether a downward trend in disintegrations makes that sequence nonrandom. "Many natural sources of random bits may be defective in that they produce biased output bits (so that the probability of a one is different than the probability of a zero), or bits which are correlated with each other." [3]
There are, however, methods that can be used to postprocess such a source to remove the correlation.
Manual generation
In the past, one-time pads were generated by typists who were told to type randomly, but, in practice, had patterns. Limited to manual methods, a not-unreasonable way is to put numbered balls in a bowl, having a blindfolded person take it out, the number recorded, the ball returned to the bowl, and the bowl shaken thorougly before taking the next ball.
This is a point mostly of historical interest, but typist patterns did cause weakness in some one-time pads. It is hard to imagine why manual generation would be useful today.
Pseudorandom number generators
In practical computing, it is convenient to use a pseudorandom number generator (PRNG), which produces a sufficiently varying sequence that, for example, a computer game driven with that generator appears to produce different characteristics each time that it is played. Nevertheless, most PRNGs that are operating system utilities, such as UNIX random(), will eventually repeat the sequence over a sufficiently long period of time. In addition, the programmer may have the choice of giving an explicit initialization value, which may be called a seed or a nonce, to the PRNG.
Most general-purpose PRNGs will produce the same sequence as long as they are given the same seed, which can even be useful for some software development purposes (see pitfalls in computer simulation, or for such things as being sure that a series of psychological research volunteers all see the same set of events. A given PRNG, however, may be told to use some reasonably random physical event in the computer as the seed, such that the seed is unpredictable.
Donald Knuth, an authority on PRNGs, quoted John von Neumann in a tongue-in-cheek but realistic view of the limits of PRNGs[4]:
Anyone who considers arithmetical method of producing random digits is, of course, in a state of sin — John von Neumann (1951)
It is possible to write very good and very bad pseudorandom number generators. Known pitfalls need to be avoided, both in initialization and in computing the next number.
Known bad ideas
Some PRNGs
Linear congruential
Knuth illustrates the most commonly used PRNG, which he attributes to D.H. Lehmer in 1949[5]
OFB and CTR Sequences
Encryption devices can be used as practical and strong PRNGs, if the output applies some type of masking so an adversary cannot know the full internal state of the genertor.[6]
Blum Blum Shub
This is the strongest known generator, with the advantage of relative simplicity, but the disadvantage of being computationally intensive. If it is used to generate numbers hatht are not needed frequently, it may be useful.[7] [8]
The possibility also exists that one or more processors could be dedicated to BBS computation.
The possibility of pseudo-random methods that are adequately random
Some research indicates that in carefully selected situations, a pseudo-random number generator, which meets a number of cryptographic criteria, may be adequately random for security. The proofs are complex and not universally accepted, but may be true for a useful number of situations.[9] [3]
Random numbers that follow particular statistical distributions
In many applications, the exact sequence is desired to be as random as possible, but the sequence may be under additional constraints to meet specific statistical requirements.
See generating values for normal random variables for an example of generating random numbers that fit a desired distribution.
Testing for Randomness
It is entirely reasonable to have individual numbers recur in a random sequence — a random sequence may even have a "run" of a number such as 100 354 972 972 972 155 579. Indeed, when typists have been asked to type randomly, they may intuitively avoid runs and produce a less random sequence.
Knuth presents an extensive range of tests, of which a few are mentioned here. It is entirely reasonable to have individual numbers recur in a random sequence — a random sequence may even have a "run" of a number such as 100 354 972 972 972 155 579. Indeed, when typists have been asked to type randomly, they may intuitively avoid runs and produce a less random sequence.It is entirely reasonable to have individual numbers recur in a random sequence — a random sequence may even have a "run" of a number such as 100 354 972 972 972 155 579. Indeed, when typists have been asked to type randomly, they may intuitively avoid runs and produce a less random sequence.
Chi-squared statistic
Frequency test
Serial test
Gap test
Partition test
References
- ↑ Schneier, Bruce (Second Edition, 1996), Applied Cryptography: Protocols, Algorithms, and Source Code in C, John Wiley & Sons p. 46
- ↑ Eastlake, D. 3rd; J. Schiller & S. Crocker (June 2005), Randomness Requirements for Security, RFC 4086; IETF Best Current Practice 106 p. 1
- ↑ 3.0 3.1 Goldwasser, Shafi & Mihir Bellare (July 2008), Chapter 3, Pseudo-random bit generators, Lecture Notes on Cryptography p. 39 Cite error: Invalid
<ref>tag; name "Goldwasser2008" defined multiple times with different content - ↑ Knuth, Donald (3rd Edition, 1998), Chapter III, Random Numbers, The Art of Computer Programming, Volume II: Seminumerical Algorithms, Addison-Wesley
- ↑ Knuth, p. 10
- ↑ Eastlake et al. p. 24
- ↑ Eastlake, p. 25
- ↑ Goldwasser & Ballare, p. 47
- ↑ Eastlake et al., pp. 23-27