How Computers Generate Random Numbers — Is It Really Random?
The common way to generate the random number in real life are rolling a dice, flipping a coin and even talking a number without thinking. What about computer? It neither has dice nor coin also it cannot think as human brain. If it is just a piece of code, isn’t it possible the numbers the computer generates could be predictable? Where does the “randomness” actually come from?
Why we need random number?
Gambling, Lottery and unpredictable results in a computer game are the applications that firstly come up with when we talk about application of random number. Aside from them, randomness stands a really essential role in the cryptography. Verification code, for example, is exactly based on the randomness. We need to create some random characters to prevent the operations from script code (purchase limited tickets online). Cryptography requires the way to generate the number is unpredictable to attacker thus the number can be regarded as random.
What is random number?
To answer how to generate a random number, we need to know the definition of it. In cryptography, we group the random numbers into two types, depending on how they’re generated: “True” random numbers and pseudo-random numbers.
True random number means it is impossible for attacker to predict. Computer measures some physical phenomenon that takes place in the natural. These physical phenomena are validated to be unpredictable, hence the number computer measures are pure random. For example, some unpredictable processes like thermal or atmospheric noise and radioactive decay of an atom. People cannot figure out the rule of the fluctuations of thermal and atmospheric noise nor when radioactive decay would occur.
Pseudo-random numbers are an alternative to “true” random numbers. It relies on a value and a function to create a random number. In this case, computer does not gather any information from outside, and totally depends on computer itself. Apparently, it is predictable. If an attacker, for example, knows the algorithm and value that a pseudorandom number generator uses. He can work backward and determine the pseudorandom number in a certain time.
Does that mean pseudorandom number is not a good choice?
As mentioned before, pseudorandom number is predictable in theory. However, it is not a bad thing in every situation. For example, in music player, random play is exactly based on pseudorandom number. It really doesn’t matter whether it is true or not. Even in the cryptography, pseudorandom number is secure enough in most cases. In practical, people will have many measurements to make the generator function really hard to disclose. In common sense, there are two criteria to evaluate whether the generator is secure enough. First, if calculations are greater than age of universe: 100 years or 1000 years to break it. It can be considered as secure. Second, if the cost of attack is far greater than the benefit. For example, attacker may be plan to break the verification code for booking some tickets without limitation. If it requires massive computation to break the generator function, attacker may give up cause the cost on high performance computer is quite high.
The interesting thing is, in some cases, we have to use the pseudorandom number. For example, the principle of car remote control device is based on the pseudorandom number. To ensure the security, the password of the car lock can be used only one time. Both remote control device and car will generate a new pseudorandom number to match as key for lock, hence the theft cannot open the car even he obtains the current password. In this case, we have to apply pseudorandom number generator, because we need car and remote control device to generate the same number at same time. As long as the value and generator function is known to both car and control device, this mission is quite simple to complete. However, with respect to the theft, it is a “true” random number cause the value and generator function are obscure to him.
That means, if the generator function is strong enough, the pseudorandom number can be regarded as a “true” random number.