# How Computers Generate Random Numbers — Is It Really Random?

The common way to generate the random number in real life are rolling a dice, flipping a coin and even talking a number without thinking. What about computer? It neither has dice nor coin also it cannot think as human brain. If it is just a piece of code, isn’t it possible the numbers the computer generates could be predictable? Where does the “randomness” actually come from?

**Why we need random number?**

Gambling, Lottery and unpredictable results in a computer game are the applications that firstly come up with when we talk about application of random number. Aside from them, randomness stands a really essential role in the cryptography. Verification code, for example, is exactly based on the randomness. We need to create some random characters to prevent the operations from script code (purchase limited tickets online). Cryptography requires the way to generate the number is unpredictable to attacker thus the number can be regarded as random.

**What is random number?**

To answer how to generate a random number, we need to know the definition of it. In cryptography, we group the random numbers into two types, depending on how they’re generated: “True” random numbers and pseudo-random numbers.

True random number means it is impossible for attacker to predict. Computer measures some physical phenomenon that takes place in the natural. These physical phenomena are validated to be unpredictable, hence the number computer measures are pure random. For example, some unpredictable processes like thermal or atmospheric noise and radioactive decay of an atom. People cannot figure out the rule of the fluctuations of thermal and atmospheric noise nor when radioactive decay would occur.

Pseudo-random numbers are an alternative to “true” random numbers. It relies on a value and a function to create a random number. In this case, computer does not gather any information from outside, and totally depends on computer itself. Apparently, it is predictable. If an attacker, for example, knows the algorithm and value that a pseudorandom number generator uses. He can work backward and determine the pseudorandom number in a certain time.

**Does that mean pseudorandom number is not a good choice?**

As mentioned before, pseudorandom number is predictable in theory. However, it is not a bad thing in every situation. For example, in music player, random play is exactly based on pseudorandom number. It really doesn’t matter whether it is true or not. Even in the cryptography, pseudorandom number is secure enough in most cases. In practical, people will have many measurements to make the generator function really hard to disclose. In common sense, there are two criteria to evaluate whether the generator is secure enough. First, if calculations are greater than age of universe: 100 years or 1000 years to break it. It can be considered as secure. Second, if the cost of attack is far greater than the benefit. For example, attacker may be plan to break the verification code for booking some tickets without limitation. If it requires massive computation to break the generator function, attacker may give up cause the cost on high performance computer is quite high.

The interesting thing is, in some cases, we have to use the pseudorandom number. For example, the principle of car remote control device is based on the pseudorandom number. To ensure the security, the password of the car lock can be used only one time. Both remote control device and car will generate a new pseudorandom number to match as key for lock, hence the theft cannot open the car even he obtains the current password. In this case, we have to apply pseudorandom number generator, because we need car and remote control device to generate the same number at same time. As long as the value and generator function is known to both car and control device, this mission is quite simple to complete. However, with respect to the theft, it is a “true” random number cause the value and generator function are obscure to him.

That means, if the generator function is strong enough, the pseudorandom number can be regarded as a “true” random number.

*Categories*

Very interesting read Xiaofan! I find random numbers not only relevant to computers but to many processes dependent on it too. I deal with pseudo-random numbers in modelling using certain software, and there certainly is discussion on if pseudo-randomly generated numbers are good enough for it.

Hi Ben

Thanks for comment. It really depends on what you are going to protect and how you can endure the loss of the security. The cost of obtaining true random numbers is quite larger than pseudorandom number. It looks like a problem that which vault you are going to choose in real life. If you just want to save $1000, you will definitely not pay over $1000 on a vault to save it. But if you want to protect something that once you loss you will loss everything, you will definitely want a completed secure vault regardless of its cost. True random number can provide completed security but cost is large. In some cases that need high security, we definitely require true random number.

Great blog – I was just wondering if true random numbers are ever used at all? If pseudorandom numbers are almost always sufficient?